Edit tour

Windows Analysis Report
socks.exe

Overview

General Information

Sample name:	socks.exe
Analysis ID:	1645398
MD5:	9d126f26bc3fe620319944a6f64c6906
SHA1:	8ce752408fff84d2a621c4dac61067fb0a750a32
SHA256:	073874a38fb63387ab9f9b592dab5e49c6407fb899c11f8b7859334a219aceed
Infos:

Detection

Sliver

Score:	76
Range:	0 - 100
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Sliver Implants

Joe Sandbox ML detected suspicious sample

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Yara signature match

Classification

Process Tree

System is w10x64_ra

socks.exe (PID: 640 cmdline: "C:\Users\user\Desktop\socks.exe" MD5: 9D126F26BC3FE620319944A6F64C6906)

conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

1https.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\1https.exe" MD5: 3F6DD6C85F9E9A02FDEA20076F69B66D)

2mtls.exe (PID: 348 cmdline: "C:\Users\user\Desktop\2mtls.exe" MD5: 17AF646CFBB7FCFE4F0F6DBCFC2E31DD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Sliver	According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.	No Attribution	https://asec.ahnlab.com/en/47088/ https://asec.ahnlab.com/en/55652/ https://asec.ahnlab.com/en/56941/ https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2750661869.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000007.00000002.2750661869.000000C00017E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000005.00000002.2753618543.000000C0002C2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000007.00000002.2750661869.000000C000160000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000005.00000002.2753618543.000000C00028B000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000007.00000000.2535867511.00000000016ED000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x8663f:$a1: ).RequestResend 0x757a8:$a2: ).GetPrivInfo
00000005.00000000.2459726498.0000000000B37000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x72e24:$a1: ).RequestResend 0x6719d:$a2: ).GetPrivInfo
Process Memory Space: 1https.exe PID: 7064	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
Process Memory Space: 1https.exe PID: 7064	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0x7241e:$a1: ).RequestResend 0x832ca:$a1: ).RequestResend 0x36d18:$a2: ).GetPrivInfo 0x61a92:$a2: ).GetPrivInfo
Process Memory Space: 2mtls.exe PID: 348	JoeSecurity_Sliver	Yara detected Sliver Implants	Joe Security
Process Memory Space: 2mtls.exe PID: 348	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xa7ac1:$a1: ).RequestResend 0xdd0af:$a1: ).RequestResend 0x9be3a:$a2: ).GetPrivInfo 0xd1a5b:$a2: ).GetPrivInfo
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.2mtls.exe.de0000.0.unpack	Multi_Trojan_Bishopsliver_42298c4a	unknown	unknown	0xbb5424:$a1: ).RequestResend 0xba979d:$a2: ).GetPrivInfo
7.0.2mtls.exe.de0000.0.unpack	INDICATOR_TOOL_Sliver	Detects Sliver implant cross-platform adversary emulation/red team	ditekSHen	0x928a55:$s3: .WGTCPForwarder 0x929fb6:$s3: .WGTCPForwarder 0x92c595:$s3: .WGTCPForwarder 0x92d0bf:$s3: .WGTCPForwarder 0x92fc2b:$s3: .WGTCPForwarder 0x930b29:$s3: .WGTCPForwarder 0x9247e4:$s6: .BackdoorReq 0x9289bf:$s7: .ProcessDumpReq 0x92c186:$s8: .InvokeSpawnDllReq 0x920ac7:$s9: .SpawnDll 0x924902:$s9: .SpawnDll

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: socks.exe	Virustotal: Detection: 39%			Perma Link
Source: socks.exe	ReversingLabs: Detection: 34%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.6% probability

Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_8b4d0962-4

Source: socks.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.18:49980 -> 45.61.169.127:8443

Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239
Source: unknown	TCP traffic detected without corresponding DNS query: 88.119.167.239

Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp

String found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: 246.229.1.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: marnyonline.com

Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
Source: 1https.exe, 00000005.00000002.2758181883.000000C000476000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fh=5n0730528&j=HTTP/1.1
Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com
Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/
Source: 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html
Source: 1https.exe, 00000005.00000002.2750144160.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?
Source: 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?Mozilla/5.0
Source: 1https.exe, 00000005.00000002.2750144160.000000C00009E000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0002EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872
Source: 1https.exe, 00000005.00000002.2753618543.000000C0002EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872Mozilla/5.0
Source: 1https.exe, 00000005.00000002.2750144160.000000C00009E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872untrusted
Source: 1https.exe, 00000005.00000002.2750144160.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.html?insufficient
Source: 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.php
Source: 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/db/oauth2/namespaces/php/samples.phphttp://marnyonline.com/db/oauth2/namespac
Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/http://marnyonline.com
Source: 1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.com/w
Source: 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.comEnumDisplaySettingsWEnumDisplaySettingsWGetExtendedUdpTableCreateToolhelp32Sna
Source: 1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://marnyonline.comrej
Source: socks.exe, 00000000.00000002.2749118235.00007FF65BC21000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ew=425262h91&n=HTTP/1.1
Source: 1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com
Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/https://marnyonline.com
Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl
Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/namespaces/api.html
Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/namespaces/api.html?
Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEProxyC
Source: 1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875
Source: 1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875http://marnyonline.comage-encrypt
Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/namespaces/api.php
Source: 1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.com/namespaces/api.phphttps://marnyonline.com/namespaces/api.htmlhttps://marnyon
Source: 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts
Source: 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.comWinHttpGetProxyForUrlWinHttpGetProxyForUrlWinHttpCloseHandleWinHttpCloseHandl
Source: 1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v1
Source: 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_131aa77a-1

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.0.2mtls.exe.de0000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 7.0.2mtls.exe.de0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Process Memory Space: 1https.exe PID: 7064, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Process Memory Space: 2mtls.exe PID: 348, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown

Source: 7.0.2mtls.exe.de0000.0.unpack, type: UNPACKEDPE	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 7.0.2mtls.exe.de0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Process Memory Space: 1https.exe PID: 7064, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Process Memory Space: 2mtls.exe PID: 348, type: MEMORYSTR	Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14

Source: socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: .telemark.nomalatvuopmi.nohamburgreservd.dev.thingdust.iogo.jpotsuchi.iwate.jpnet.slnet.soal.usbounceme.netgo.keporsgrunn.nonet.ss!city.yokohama.jptarnobrzeg.plnet.stdishis-a-chef.coms.bggjerdrum.noshiogama.miyagi.jptara.saga.jpyamada.toyama.jpnet.thnet.synet.tjs

Source: classification engine

Classification label: mal76.troj.evad.winEXE@4/1@2/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_03

Source: C:\Users\user\Desktop\1https.exe	File opened: C:\Windows\system32\9246315bee1544471d4aad7baaeb0f39e4badc8b3762c339f59c3b34c7cb0b03AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	File opened: C:\Windows\system32\13dd9674580bb3e38d0bc58c6fb3aeb55ea398d1bb73bd7cb1fd72d74f87ea26AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: C:\Users\user\Desktop\socks.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: socks.exe	Virustotal: Detection: 39%
Source: socks.exe	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\socks.exe "C:\Users\user\Desktop\socks.exe"
Source: C:\Users\user\Desktop\socks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\1https.exe "C:\Users\user\Desktop\1https.exe"
Source: unknown	Process created: C:\Users\user\Desktop\2mtls.exe "C:\Users\user\Desktop\2mtls.exe"

Source: C:\Users\user\Desktop\socks.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Section loaded: mswsock.dll	Jump to behavior

Source: socks.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: socks.exe

Static file information: File size 13725696 > 1048576

Source: socks.exe	Static PE information: Raw size of lbre is bigger than: 0x100000 < 0x4bb800
Source: socks.exe	Static PE information: Raw size of .hyy is bigger than: 0x100000 < 0x85aa00

Source: socks.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\socks.exe

Unpacked PE file: 0.2.socks.exe.7ff65bc20000.0.unpack lgdr:EW;lbre:EW;.rsrc:W;.hyy:W; vs lgdr:ER;lbre:ER;.rsrc:W;.hyy:W;

Source: initial sample

Static PE information: section where entry point is pointing to: lbre

Source: socks.exe	Static PE information: section name: lgdr
Source: socks.exe	Static PE information: section name: lbre
Source: socks.exe	Static PE information: section name: .hyy

Source: C:\Users\user\Desktop\socks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\socks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1https.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\1https.exe TID: 6956

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: 2mtls.exe, 00000007.00000002.2755559814.000002818271C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: socks.exe, 00000000.00000002.2748269165.00000269322AE000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: socks.exe, 00000000.00000002.2749118235.00007FF65C6CF000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\1https.exe	Queries volume information: C:\Users\user\Desktop\1https.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\2mtls.exe	Queries volume information: C:\Users\user\Desktop\2mtls.exe VolumeInformation			Jump to behavior

Stealing of Sensitive Information

Yara detected Sliver Implants

Source: Yara match	File source: 00000007.00000002.2750661869.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2750661869.000000C00017E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2753618543.000000C0002C2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2750661869.000000C000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2753618543.000000C00028B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2535867511.00000000016ED000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2459726498.0000000000B37000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1https.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2mtls.exe PID: 348, type: MEMORYSTR

Remote Access Functionality

Yara detected Sliver Implants

Source: Yara match	File source: 00000007.00000002.2750661869.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2750661869.000000C00017E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2753618543.000000C0002C2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2750661869.000000C000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2753618543.000000C00028B000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2535867511.00000000016ED000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2459726498.0000000000B37000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1https.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2mtls.exe PID: 348, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
socks.exe	40%	Virustotal		Browse
socks.exe	34%	ReversingLabs	Win64.Trojan.Seheq

Source	Detection	Scanner	Label
https://marnyonline.comWinHttpGetProxyForUrlWinHttpGetProxyForUrlWinHttpCloseHandleWinHttpCloseHandl	0%	Avira URL Cloud	safe
http://marnyonline.com/http://marnyonline.com	0%	Avira URL Cloud	safe
https://marnyonline.com/namespaces/api.php	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?	0%	Avira URL Cloud	safe
https://marnyonline.com/namespaces/api.phphttps://marnyonline.com/namespaces/api.htmlhttps://marnyon	0%	Avira URL Cloud	safe
https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875http://marnyonline.comage-encrypt	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872untrusted	0%	Avira URL Cloud	safe
http://fh=5n0730528&j=HTTP/1.1	0%	Avira URL Cloud	safe
https://marnyonline.com	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?Mozilla/5.0	0%	Avira URL Cloud	safe
http://marnyonline.comrej	0%	Avira URL Cloud	safe
http://marnyonline.com/w	0%	Avira URL Cloud	safe
https://marnyonline.com/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEProxyC	0%	Avira URL Cloud	safe
https://marnyonline.com/namespaces/api.html?	0%	Avira URL Cloud	safe
https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl	0%	Avira URL Cloud	safe
https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.php	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.phphttp://marnyonline.com/db/oauth2/namespac	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872	0%	Avira URL Cloud	safe
https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875	0%	Avira URL Cloud	safe
https://ew=425262h91&n=HTTP/1.1	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?insufficient	0%	Avira URL Cloud	safe
http://marnyonline.com/	0%	Avira URL Cloud	safe
http://marnyonline.com	0%	Avira URL Cloud	safe
http://marnyonline.comEnumDisplaySettingsWEnumDisplaySettingsWGetExtendedUdpTableCreateToolhelp32Sna	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872Mozilla/5.0	0%	Avira URL Cloud	safe
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca	0%	Avira URL Cloud	safe
http://marnyonline.com/db/oauth2/namespaces/php/samples.html	0%	Avira URL Cloud	safe
https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v1	0%	Avira URL Cloud	safe
https://marnyonline.com/https://marnyonline.com	0%	Avira URL Cloud	safe
https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts	0%	Avira URL Cloud	safe
https://marnyonline.com/namespaces/api.html	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
marnyonline.com	45.61.169.127	true	false		unknown
246.229.1.0.in-addr.arpa	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.phreedom.org/md5)	socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp	false		high
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872untrusted	1https.exe, 00000005.00000002.2750144160.000000C00009E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.com/namespaces/api.php	1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.comWinHttpGetProxyForUrlWinHttpGetProxyForUrlWinHttpCloseHandleWinHttpCloseHandl	1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fh=5n0730528&j=HTTP/1.1	1https.exe, 00000005.00000002.2758181883.000000C000476000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)08:27	socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp	false		high
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?	1https.exe, 00000005.00000002.2750144160.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aiim.org/pdfa/ns/id/	socks.exe, 00000000.00000002.2749118235.00007FF65BC21000.00000040.00000001.01000000.00000003.sdmp	false		high
https://marnyonline.com	1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.com/namespaces/api.phphttps://marnyonline.com/namespaces/api.htmlhttps://marnyon	1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/http://marnyonline.com	1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?Mozilla/5.0	1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreports.qt.io/	socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp	false		high
https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875http://marnyonline.comage-encrypt	1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/db/oauth2/namespaces/php/samples.php	1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/w	1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.com/namespaces/api.html?NO_PROXYno_proxyHTTPS_PROXYhttps_proxyWinHttpGetIEProxyC	1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/db/oauth2/namespaces/php/samples.phphttp://marnyonline.com/db/oauth2/namespac	1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.com/namespaces/api.html?	1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.comrej	1https.exe, 00000005.00000002.2759393907.00000182C274C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.com/https://marnyonline.commarnyonline.com:443tcpmarnyonline.comhttps://marnyonl	1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872	1https.exe, 00000005.00000002.2750144160.000000C00009E000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0002EE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.comhttps://marnyonline.comhttps://marnyonline.comtime:	1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.com/namespaces/api.html?ew=425262h91&n=94e15875	1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ew=425262h91&n=HTTP/1.1	1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?insufficient	1https.exe, 00000005.00000002.2750144160.000000C0000B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com	1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp, 1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/	1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.comEnumDisplaySettingsWEnumDisplaySettingsWGetExtendedUdpTableCreateToolhelp32Sna	1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca	socks.exe, 00000000.00000002.2749118235.00007FF65C475000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/db/oauth2/namespaces/php/samples.html	1https.exe, 00000005.00000002.2753618543.000000C000234000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://marnyonline.com/db/oauth2/namespaces/php/samples.html?fh=5n0730528&j=80066872Mozilla/5.0	1https.exe, 00000005.00000002.2753618543.000000C0002EE000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.comcommonpb/common.protosliverpb.Envelope.IDIDage-encryption.org/v1	1https.exe, 00000005.00000002.2753618543.000000C000224000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.com/https://marnyonline.com	1https.exe, 00000005.00000002.2753618543.000000C00021A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.com/namespaces/api.html	1https.exe, 00000005.00000002.2753618543.000000C00022E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://marnyonline.comWinHTTP:AutoDetectWinHttpSetTimeoutsWinHttpSetTimeouts	1https.exe, 00000005.00000002.2753618543.000000C0001DA000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.119.167.239	unknown	Lithuania		61272	IST-ASLT	false
45.61.169.127	marnyonline.com	United States		8100	ASN-QUADRANET-GLOBALUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1645398
Start date and time:	2025-03-21 17:50:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	socks.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@4/1@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.86.251.28, 20.109.210.53, 13.107.246.40
Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
12:51:09	API Interceptor	26x Sleep call for process: socks.exe modified
12:52:45	API Interceptor	2x Sleep call for process: 1https.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
88.119.167.239	dwm.exe	Get hash	malicious	Unknown	Browse
88.119.167.239	dwm.exe	Get hash	malicious	Unknown	Browse
45.61.169.127	2mtls.exe	Get hash	malicious	Sliver	Browse
45.61.169.127	1https.exe	Get hash	malicious	Sliver	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
marnyonline.com	1https.exe	Get hash	malicious	Sliver	Browse	45.61.169.127

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IST-ASLT	mr64.exe.exe	Get hash	malicious	Meterpreter	Browse	88.119.175.124
	New Agreement Document 2025.com	Get hash	malicious	Unknown	Browse	85.206.168.238
	New Agreement Document 2025.com	Get hash	malicious	Unknown	Browse	85.206.168.238
	file.exe	Get hash	malicious	SystemBC	Browse	88.119.165.46
	file.exe	Get hash	malicious	SystemBC	Browse	88.119.165.46
	file.exe	Get hash	malicious	SystemBC	Browse	88.119.165.46
	file.exe	Get hash	malicious	SystemBC	Browse	88.119.165.46
	random.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Babadeda, LummaC Stealer, SystemBC	Browse	88.119.165.46
	Croblxn.exe	Get hash	malicious	SystemBC	Browse	88.119.165.46
	H#4051-5353.vbs	Get hash	malicious	AsyncRAT	Browse	88.119.175.153
ASN-QUADRANET-GLOBALUS	2mtls.exe	Get hash	malicious	Sliver	Browse	45.61.169.127
	1https.exe	Get hash	malicious	Sliver	Browse	45.61.169.127
	http://t.dripemail2.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzQyNDg1MjAxLCJuYmYiOjE3NDI0ODUyMDEsImFjY291bnRfaWQiOiI5MjExNzMxIiwiZGVsaXZlcnlfaWQiOiI2ZGY2cmIydXVwbjY4cnNhdWo0NCIsInRva2VuIjoiNmRmNnJiMnV1cG42OHJzYXVqNDQiLCJzZW5kX2F0IjoxNzQyNDgzOTQ4LCJlbWFpbF9pZCI6MTA1MDc4ODcsImVtYWlsYWJsZV90eXBlIjoiQnJvYWRjYXN0IiwiZW1haWxhYmxlX2lkIjo0MTkzMDc4LCJ1cmwiOiJodHRwOi8vZ2NyLnVwcGxleC5jby5rZT9fX3M9cWMwZ2JsdTk1emZnYmh3ZHp5OG4mdXRtX3NvdXJjZT1kcmlwJnV0bV9tZWRpdW09ZW1haWwmdXRtX2NhbXBhaWduPVdlK2dvdCthK21ha2VvdmVyLiJ9.nJ9tzd3-jhbWgSNwRLHamHKYwZXuNcZIG2E1QBFM5fg	Get hash	malicious	HTMLPhisher	Browse	45.61.169.110
	ATT11027.xhtml	Get hash	malicious	HTMLPhisher	Browse	185.174.100.76
	http://url5681.planter.eco/ls/click?upn=u001.PX1-2BssefkOe686e7wTSUMqibxN-2FCUadbAKgpTv23cYOIQxMvH9FGLuwPON-2Ft4V08mI3EhMVAoZnU-2Br4hRroTgY6212B0nGnr8aV-2B5ZtDZ10DmDDkH6mdlmAzG8M-2BiNsGPGMX1iPzlrrdaY9R4kk4qHfVergkdfGzm-2BAmGL-2FwYqLpCth-2FU-2ByXRztop6mHKwMCk43gAzvI9DCKmBcEcJQKyQ-3D-3Da5U3_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIU9EPMkwXhPBMhFexKYRqOhYUH1k-2FQVOT9D8S6mnbGzOTVeFZqZ2eiXdrD6GdHPzzO106h29UdS-2BIz4v5acd9FnatQanlGtMNJsbvRJRS5dF6-2BMeTnNy39wilhlMfgiqmmr792hlZiyIO30hIfNO7fmE4Qvw7CYEB9aPKMoYkpeVA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.245.240.188
	AVISO DE COBRO DHL - 1606604473.PDF.exe	Get hash	malicious	DarkCloud	Browse	204.44.192.90
	splx86.elf	Get hash	malicious	Unknown	Browse	64.189.38.253
	resgod.arm5.elf	Get hash	malicious	Mirai	Browse	104.247.172.118
	https://office.mx-senora.com/validate-captcha?user_id=4bP8rZrJvBAKS5wfleIW	Get hash	malicious	Unknown	Browse	45.61.166.78
	Factura - FAT120250320.pdf(94KB).com.exe	Get hash	malicious	DarkTortilla, XWorm	Browse	104.245.240.123

Process:	C:\Users\user\Desktop\socks.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	495
Entropy (8bit):	4.858007298055784
Encrypted:	false
SSDEEP:	6:38vNR/DLQghpmYTIa4Lew1+c/DLQghpmYTIa4Lew1+c/DLQghpmYTIa4Lew11:3kRPKP3PKP3PKPX
MD5:	1A839174AF00B901CD9C5401CA973E62
SHA1:	84E81EF9015F2A18F01B5CE36EA9B9DC4F246015
SHA-256:	3C66F62A17005A38F1A266B00353C052B369A8137EFE123E0B8865E84BDA24E0
SHA-512:	06F87E8762F52571F043A8B1196D8A3AEED91AFECDEC2EB8C0BCB772987B9A8BD2252283555A155B04B3E633DB18D72B3E2FDFE2D28B109D2FC2E6480FFB6DCD
Malicious:	false
Reputation:	low
Preview:	Successfully connected..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..QAbstractSocket::connectToHost() called when already looking up or connecting/connected to "88.119.167.239"..QIODevice::write (QTcpSocket): device not open..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	3.7975971825806716
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	socks.exe
File size:	13'725'696 bytes
MD5:	9d126f26bc3fe620319944a6f64c6906
SHA1:	8ce752408fff84d2a621c4dac61067fb0a750a32
SHA256:	073874a38fb63387ab9f9b592dab5e49c6407fb899c11f8b7859334a219aceed
SHA512:	947279fb4cd0c142ef02871e8bc7b18543fff524d02403ae5675069117b6c6f259f6ff6bedfeddc45496e16fd9e429a80b1dbe1c6a32633ea08693e7854a8616
SSDEEP:	98304:HBU7dMJyxIzC1j8iN0Z61Fe+ZwHQjgNV6wvFQmjoLDmQn4F:hwxB3061FecwHZ7wf4
TLSH:	1ED63396078F41B1DC48E036C1FEB9B85E12E3ABD0872EB4B90DF0CE1474AD1965DDA6
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........f.a...2...2...2...3...2...3...2.{s2...2.{.3...2.{.3...2.{.3...2.{.3!..2...3...2...3...2...3...2...2...2.{.3...2.{.3...2.{q2...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140baf2c0
Entrypoint Section:	lbre
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65BD1B85 [Fri Feb 2 16:42:45 2024 UTC]
TLS Callbacks:	0x40baf51c, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	cde2e272252c977356a358cddccd60d8

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFB44D35h]
dec eax
lea edi, dword ptr [esi-006F3000h]
dec eax
lea eax, dword ptr [edi+00AE4698h]
push dword ptr [eax]
mov dword ptr [eax], F3EEF9A7h
push eax
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F0A24ABAFF5h
add ebx, ebx
je 00007F0A24ABAFA4h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F0A24ABAFC3h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F0A24ABAFBDh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F0A24ABAF91h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F0A24ABAFB2h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F0A24ABAF92h
rep ret
cld
inc ecx
pop ebx
jmp 00007F0A24ABAFAAh
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F0A24ABAFACh
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F0A24ABAF88h
lea eax, dword ptr [ecx+01h]
jmp 00007F0A24ABAFA9h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F0A24ABAFACh
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F0A24ABAF86h
sub eax, 03h
jc 00007F0A24ABAFBBh
shl eax, 08h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb02dc	0x594	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbb0000	0x2dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xae8000	0x5fd3c	lbre
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbb0870	0x24	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xbaf548	0x28	lbre
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xbaf5b8	0x140	lbre
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
lgdr	0x1000	0x6f3000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lbre	0x6f4000	0x4bc000	0x4bb800	a44f5ddbf908a2fd24b099b81f95b48f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xbb0000	0x1000	0xa00	52eb68c6b3743947fd28e5dea8b9d1f1	False	0.397265625	data	4.247106170162627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.hyy	0xbb1000	0x85a9fb	0x85aa00	0fe60e822598f3b8da74e721c37a20bc	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xbb005c	0x27e	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5501567398119123

Imports

DLL	Import
ADVAPI32.dll	CopySid
bcrypt.dll	BCryptEncrypt
CRYPT32.dll	CertOpenStore
DNSAPI.dll	DnsFree
dwmapi.dll	DwmSetWindowAttribute
DWrite.dll	DWriteCreateFactory
GDI32.dll	BitBlt
IMM32.dll	ImmNotifyIME
IPHLPAPI.DLL	GetAdaptersAddresses
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
NETAPI32.dll	NetShareEnum
ole32.dll	DoDragDrop
OLEAUT32.dll	SysStringLen
Secur32.dll	EncryptMessage
SHELL32.dll
USER32.dll	GetDC
USERENV.dll	GetUserProfileDirectoryW
VERSION.dll	VerQueryValueW
WINHTTP.dll	WinHttpOpen
WINMM.dll	PlaySoundW
WS2_32.dll	WSAGetLastError
WTSAPI32.dll	WTSFreeMemory

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 96
• 8443 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 17:51:10.842123985 CET	49699	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:10.842170954 CET	443	49699	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:10.842247963 CET	49699	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:10.852704048 CET	49699	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:10.852721930 CET	443	49699	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:10.852782965 CET	443	49699	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:15.861116886 CET	49701	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:15.861165047 CET	443	49701	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:15.861272097 CET	49701	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:15.861618042 CET	49701	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:15.861629963 CET	443	49701	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:15.861676931 CET	443	49701	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:20.863182068 CET	49709	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:20.863246918 CET	443	49709	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:20.863363028 CET	49709	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:20.863584995 CET	49709	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:20.863600016 CET	443	49709	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:20.863661051 CET	443	49709	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:25.856200933 CET	49750	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:25.856249094 CET	443	49750	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:25.856370926 CET	49750	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:25.856692076 CET	49750	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:25.856709003 CET	443	49750	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:25.856758118 CET	443	49750	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:30.866435051 CET	49790	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:30.866493940 CET	443	49790	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:30.866578102 CET	49790	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:30.866794109 CET	49790	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:30.866815090 CET	443	49790	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:30.866869926 CET	443	49790	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:35.888155937 CET	49825	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:35.888211966 CET	443	49825	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:35.888290882 CET	49825	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:35.888508081 CET	49825	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:35.888529062 CET	443	49825	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:35.888572931 CET	443	49825	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:40.890175104 CET	49865	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:40.890228033 CET	443	49865	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:40.890310049 CET	49865	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:40.890573978 CET	49865	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:40.890592098 CET	443	49865	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:40.890635014 CET	443	49865	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:45.894412994 CET	49905	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:45.894483089 CET	443	49905	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:45.894623041 CET	49905	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:45.899436951 CET	49905	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:45.899511099 CET	443	49905	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:45.899614096 CET	49905	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:50.923146009 CET	49945	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:50.923183918 CET	443	49945	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:50.923258066 CET	49945	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:50.923852921 CET	49945	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:50.923866987 CET	443	49945	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:50.923924923 CET	443	49945	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:55.925142050 CET	49966	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:55.925201893 CET	443	49966	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:55.925301075 CET	49966	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:55.925532103 CET	49966	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:51:55.925548077 CET	443	49966	88.119.167.239	192.168.2.18
Mar 21, 2025 17:51:55.925604105 CET	443	49966	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:00.924387932 CET	49967	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:00.924433947 CET	443	49967	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:00.924520016 CET	49967	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:00.924987078 CET	49967	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:00.925039053 CET	443	49967	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:00.925107002 CET	49967	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:05.925751925 CET	49968	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:05.925786018 CET	443	49968	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:05.925867081 CET	49968	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:05.926264048 CET	49968	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:05.926273108 CET	443	49968	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:05.926335096 CET	443	49968	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:10.933525085 CET	49969	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:10.933576107 CET	443	49969	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:10.933665037 CET	49969	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:10.933974028 CET	49969	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:10.933988094 CET	443	49969	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:10.934042931 CET	443	49969	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:15.934597015 CET	49970	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:15.934643030 CET	443	49970	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:15.934760094 CET	49970	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:15.935213089 CET	49970	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:15.935225010 CET	443	49970	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:15.935276031 CET	443	49970	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:20.937552929 CET	49971	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:20.937607050 CET	443	49971	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:20.937748909 CET	49971	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:20.938523054 CET	49971	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:20.938536882 CET	443	49971	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:20.938586950 CET	443	49971	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:25.933626890 CET	49972	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:25.933686018 CET	443	49972	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:25.933763027 CET	49972	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:25.934175014 CET	49972	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:25.934187889 CET	443	49972	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:25.934284925 CET	443	49972	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:30.942420006 CET	49973	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:30.942547083 CET	443	49973	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:30.942662001 CET	49973	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:30.942962885 CET	49973	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:30.942990065 CET	443	49973	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:30.943048000 CET	443	49973	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:35.942820072 CET	49974	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:35.942879915 CET	443	49974	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:35.943051100 CET	49974	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:35.943341017 CET	49974	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:35.943351984 CET	443	49974	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:35.943414927 CET	443	49974	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:40.951351881 CET	49975	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:40.951404095 CET	443	49975	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:40.951565981 CET	49975	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:40.951837063 CET	49975	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:40.951860905 CET	443	49975	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:40.951905966 CET	443	49975	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:45.965429068 CET	49976	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:45.965467930 CET	443	49976	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:45.965548992 CET	49976	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:45.965847969 CET	49976	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:45.965859890 CET	443	49976	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:45.965909004 CET	443	49976	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:46.850038052 CET	49977	443	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:46.850104094 CET	443	49977	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:46.850184917 CET	49977	443	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:46.850477934 CET	49977	443	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:46.850495100 CET	443	49977	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:46.984410048 CET	443	49977	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:46.996573925 CET	49978	80	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:47.128324032 CET	80	49978	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:47.631915092 CET	49978	80	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:49.635927916 CET	49978	80	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:49.768887043 CET	80	49978	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:50.274071932 CET	49978	80	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:50.406383991 CET	80	49978	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:50.913963079 CET	49978	80	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:50.962974072 CET	49979	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:50.963035107 CET	443	49979	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:50.963180065 CET	49979	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:50.963448048 CET	49979	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:50.963459015 CET	443	49979	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:50.965169907 CET	443	49979	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:51.047904015 CET	80	49978	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:54.256315947 CET	49980	8443	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:54.388546944 CET	8443	49980	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:54.894625902 CET	49980	8443	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:55.027004957 CET	8443	49980	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:55.528616905 CET	49980	8443	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:55.661288023 CET	8443	49980	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:55.977886915 CET	49981	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:55.977933884 CET	443	49981	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:55.978034973 CET	49981	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:55.981869936 CET	49981	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:52:55.981882095 CET	443	49981	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:55.981937885 CET	443	49981	88.119.167.239	192.168.2.18
Mar 21, 2025 17:52:56.164501905 CET	49980	8443	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:56.296838045 CET	8443	49980	45.61.169.127	192.168.2.18
Mar 21, 2025 17:52:56.802462101 CET	49980	8443	192.168.2.18	45.61.169.127
Mar 21, 2025 17:52:56.934945107 CET	8443	49980	45.61.169.127	192.168.2.18
Mar 21, 2025 17:53:00.980653048 CET	49982	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:00.980712891 CET	443	49982	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:00.980803967 CET	49982	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:00.981318951 CET	49982	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:00.981374025 CET	443	49982	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:00.981441021 CET	49982	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:05.979597092 CET	49983	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:05.979651928 CET	443	49983	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:05.979773045 CET	49983	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:05.980056047 CET	49983	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:05.980063915 CET	443	49983	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:05.992470026 CET	443	49983	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:10.997555971 CET	49984	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:10.997613907 CET	443	49984	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:10.997697115 CET	49984	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:10.997950077 CET	49984	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:10.997965097 CET	443	49984	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:10.998018026 CET	443	49984	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:16.849551916 CET	49985	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:16.849612951 CET	443	49985	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:16.849701881 CET	49985	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:16.849844933 CET	49985	443	192.168.2.18	88.119.167.239
Mar 21, 2025 17:53:16.849858999 CET	443	49985	88.119.167.239	192.168.2.18
Mar 21, 2025 17:53:16.849919081 CET	443	49985	88.119.167.239	192.168.2.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 17:51:10.717336893 CET	56118	53	192.168.2.18	1.1.1.1
Mar 21, 2025 17:51:10.822911978 CET	53	56118	1.1.1.1	192.168.2.18
Mar 21, 2025 17:52:46.559330940 CET	55408	53	192.168.2.18	1.1.1.1
Mar 21, 2025 17:52:46.846820116 CET	53	55408	1.1.1.1	192.168.2.18

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 21, 2025 17:51:10.717336893 CET	192.168.2.18	1.1.1.1	0xedbb	Standard query (0)	246.229.1.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Mar 21, 2025 17:52:46.559330940 CET	192.168.2.18	1.1.1.1	0x702d	Standard query (0)	marnyonline.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 21, 2025 17:51:10.822911978 CET	1.1.1.1	192.168.2.18	0xedbb	Name error (3)	246.229.1.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Mar 21, 2025 17:52:46.846820116 CET	1.1.1.1	192.168.2.18	0x702d	No error (0)	marnyonline.com		45.61.169.127	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• socks.exe
• conhost.exe
• 1https.exe
• 2mtls.exe

Click to jump to process

Memory Usage

• socks.exe
• conhost.exe
• 1https.exe
• 2mtls.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	12:51:09
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\socks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\socks.exe"
Imagebase:	0x7ff65bc20000
File size:	13'725'696 bytes
MD5 hash:	9D126F26BC3FE620319944A6F64C6906
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:51:09
Start date:	21/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7b8370000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:52:44
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\1https.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1https.exe"
Imagebase:	0x130000
File size:	17'320'960 bytes
MD5 hash:	3F6DD6C85F9E9A02FDEA20076F69B66D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000002.2753618543.000000C0002C2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000002.2753618543.000000C00028B000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000005.00000000.2459726498.0000000000DA4000.00000002.00000001.01000000.00000005.sdmp, Author: unknown Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000000.2459726498.0000000000B37000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:52:51
Start date:	21/03/2025
Path:	C:\Users\user\Desktop\2mtls.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2mtls.exe"
Imagebase:	0xde0000
File size:	15'661'568 bytes
MD5 hash:	17AF646CFBB7FCFE4F0F6DBCFC2E31DD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000002.2750661869.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000002.2750661869.000000C00017E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000002.2750661869.000000C000160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000000.2535867511.00000000016ED000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000007.00000000.2535867511.0000000001923000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report socks.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
socks.exe