Play interactive tour

Edit tour

Analysis Report curl.exe

Overview

General Information

Sample Name:	curl.exe
Analysis ID:	325355
MD5:	8ecf909850cc916a45109959ddeac74b
SHA1:	9b2498aa00af6d900fb35e9d3954752d6ef62e0b
SHA256:	6b3e24c9bd6146941bd2fa653e88a476a11dd3deb296feed1221571490f294b7
Most interesting Screenshot:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

curl.exe (PID: 3476 cmdline: 'C:\Users\user\Desktop\curl.exe' MD5: 8ECF909850CC916A45109959DDEAC74B)

conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: curl.exe, 00000000.00000000.220033575.0000000001012000.00000002.00020000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then push dword ptr [esp+04h]
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then mov eax, dword ptr [edi+00000378h]
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then mov eax, dword ptr [edi+00000378h]
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then inc edi
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then mov ebx, dword ptr [esi]
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then mov byte ptr [ebp+00h], cl
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then push dword ptr [ecx+ebp*4-04h]
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then cmp byte ptr [ebp+000000AAh], 00000000h
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then add eax, dword ptr [ecx+10h]
Source: C:\Users\user\Desktop\curl.exe	Code function: 4x nop then mov eax, dword ptr [ebx]

Source: C:\Users\user\Desktop\curl.exe

Code function: 0_2_00D89B70 recv,recv,recv,

Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>

Source: curl.exe	String found in binary or memory: http://.css
Source: curl.exe	String found in binary or memory: http://.jpg
Source: curl.exe	String found in binary or memory: http://html4/loose.dtd
Source: curl.exe	String found in binary or memory: http://https://-.://%s%s%s/%s
Source: curl.exe	String found in binary or memory: https://curl.haxx.se/P
Source: curl.exe	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: curl.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: curl.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: curl.exe	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html

Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D846F0
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D870B0
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D72010
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D8A805
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D8C990
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00DA9100
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00DAA2A0
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D8DBD0
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00DBBB50
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D89B70
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D82B00
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D8E4C0
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_01008560
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D81DD0
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00DEBD80
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00DEE650
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D8E7D0
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00DAA740

Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00DB1CE0 appears 119 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00D85C50 appears 34 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00DB1E70 appears 66 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00D7A770 appears 50 times
Source: C:\Users\user\Desktop\curl.exe	Code function: String function: 00D859C0 appears 56 times

Source: curl.exe	Static PE information: invalid certificate
Source: curl.exe	Static PE information: invalid certificate

Source: classification engine

Classification label: clean4.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\curl.exe

Code function: 0_2_00D8D1D0 GetLastError,_errno,FormatMessageA,strchr,_errno,_errno,GetLastError,SetLastError,

Source: C:\Users\user\Desktop\curl.exe

Code function: 0_2_00D73950 memset,GetLastError,CreateToolhelp32Snapshot,GetLastError,Module32First,Module32Next,CloseHandle,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01

Source: curl.exe

Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\curl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: dns-ipv4-addr
Source: curl.exe	String found in binary or memory: dns-ipv6-addr
Source: curl.exe	String found in binary or memory: false-start
Source: curl.exe	String found in binary or memory: @url4dns-ipv4-addr6dns-ipv6-addrarandom-filebegd-fileBoauth2-bearercconnect-timeoutCdoh-urldciphersDdns-interfaceedisable-epsvfdisallow-username-in-urlEepsvFdns-serversgtraceGnpnhtrace-asciiHalpnilimit-ratejcompressedJtr-encodingkdigestlnegotiatemntlmMntlm-wbnbasicoanyauthqftp-create-dirsrcreate-dirssmax-redirstproxy-ntlmucrlfvstderrwinterfacexkrbkrb4Xhaproxy-protocolyzdisable-eprtZeprt~xattr$aftp-sslssl$bftp-pasv$csocks5$dtcp-nodelay$eproxy-digest$fproxy-basic$gretry$Vretry-connrefused$hretry-delay$iretry-max-time$kproxy-negotiate$mftp-account$nproxy-anyauth$otrace-time$pignore-content-length$qftp-skip-pasv-ip$rftp-method$slocal-port$tsocks4$Tsocks4a$uftp-alternative-to-user$vftp-ssl-reqdssl-reqd$wsessionid$xftp-ssl-control$yftp-ssl-ccc$jftp-ssl-ccc-mode$zlibcurl$#raw$0post301$1keepalive$2socks5-hostname$3keepalive-time$4post302$5noproxy$7socks5-gssapi-nec$8proxy1.0$9tftp-blksize$Amail-from$Bmail-rcpt$Cftp-pret$Dproto$Eproto-redir$Fresolve$Gdelegation$Hmail-auth$Ipost303$Jmetalink$6sasl-authzid$Ksasl-ir$Ltest-event$Munix-socket$Npath-as-is$Osocks5-gssapi-serviceproxy-service-name$Pservice-name$Qproto-default$Rexpect100-timeout$Stftp-no-options$Uconnect-to$Wabstract-unix-socket$Xtls-max$Ysuppress-connect-headers$Zcompressed-ssh$~happy-eyeballs-timeout-ms0http1.001http1.102http203http2-prior-knowledge04http309http0.91tlsv110tlsv1.011tlsv1.112tlsv1.213tlsv1.31Atls13-ciphers1Bproxy-tls13-ciphers2sslv23sslv34ipv46ipv6aappendAuser-agentbcookiebaalt-svcBuse-asciiccookie-jarCcontinue-atddatadrdata-rawdadata-asciidbdata-binarydedata-urlencodeDdump-headererefererEcertEacacertEbcert-typeEckeyEdkey-typeEepassEfengineEgcapathEhpubkeyEihostpubmd5EjcrlfileEktlsuserEltlspasswordEmtlsauthtypeEnssl-allow-beastEppinnedpubkeyEPproxy-pinnedpubkeyEqcert-statusErfalse-startEsssl-no-revokeEttcp-fastopenEuproxy-tlsuserEvproxy-tlspasswordEwproxy-tlsauthtypeExproxy-certEyproxy-cert-typeEzproxy-keyE0proxy-key-typeE1proxy-passE2proxy-ciphersE3proxy-crlfileE4proxy-ssl-allow-beastE5login-optionsE6proxy-cacertE7proxy-capathE8proxy-insecureE9proxy-tlsv1EAsocks5-basicEBsocks5-gssapiECetag-saveEDetag-compareffailfafail-earlyfbstyled-outputfcmail-rcpt-allowfailsFformFsform-stringggloboffGgetGarequest-targethhelpHheaderHpproxy-headeriincludeIheadjjunk-session-cookiesJremote-header-namekinsecureKconfigllist-onlyLlocationLtlocation-trustedmmax-timeMmanualnnetrcnonetrc-optionalnenetrc-fileNbufferooutputOremote-nameOaremote-name-allpproxytunnelPftp-portqdisableQquoterrangeRremote-timessilentSshow-errorttelnet-optionTupload-fileuuserUproxy-uservverboseVversionwwrite-outxproxyxapreproxyXrequestYspeed-limityspeed-timeztime-condZparallelZbparallel-maxZcparallel-immediate#progress-bar#mprogress-meternextinvalid number specified for %s
Source: curl.exe	String found in binary or memory: @url4dns-ipv4-addr6dns-ipv6-addrarandom-filebegd-fileBoauth2-bearercconnect-timeoutCdoh-urldciphersDdns-interfaceedisable-epsvfdisallow-username-in-urlEepsvFdns-serversgtraceGnpnhtrace-asciiHalpnilimit-ratejcompressedJtr-encodingkdigestlnegotiatemntlmMntlm-wbnbasicoanyauthqftp-create-dirsrcreate-dirssmax-redirstproxy-ntlmucrlfvstderrwinterfacexkrbkrb4Xhaproxy-protocolyzdisable-eprtZeprt~xattr$aftp-sslssl$bftp-pasv$csocks5$dtcp-nodelay$eproxy-digest$fproxy-basic$gretry$Vretry-connrefused$hretry-delay$iretry-max-time$kproxy-negotiate$mftp-account$nproxy-anyauth$otrace-time$pignore-content-length$qftp-skip-pasv-ip$rftp-method$slocal-port$tsocks4$Tsocks4a$uftp-alternative-to-user$vftp-ssl-reqdssl-reqd$wsessionid$xftp-ssl-control$yftp-ssl-ccc$jftp-ssl-ccc-mode$zlibcurl$#raw$0post301$1keepalive$2socks5-hostname$3keepalive-time$4post302$5noproxy$7socks5-gssapi-nec$8proxy1.0$9tftp-blksize$Amail-from$Bmail-rcpt$Cftp-pret$Dproto$Eproto-redir$Fresolve$Gdelegation$Hmail-auth$Ipost303$Jmetalink$6sasl-authzid$Ksasl-ir$Ltest-event$Munix-socket$Npath-as-is$Osocks5-gssapi-serviceproxy-service-name$Pservice-name$Qproto-default$Rexpect100-timeout$Stftp-no-options$Uconnect-to$Wabstract-unix-socket$Xtls-max$Ysuppress-connect-headers$Zcompressed-ssh$~happy-eyeballs-timeout-ms0http1.001http1.102http203http2-prior-knowledge04http309http0.91tlsv110tlsv1.011tlsv1.112tlsv1.213tlsv1.31Atls13-ciphers1Bproxy-tls13-ciphers2sslv23sslv34ipv46ipv6aappendAuser-agentbcookiebaalt-svcBuse-asciiccookie-jarCcontinue-atddatadrdata-rawdadata-asciidbdata-binarydedata-urlencodeDdump-headererefererEcertEacacertEbcert-typeEckeyEdkey-typeEepassEfengineEgcapathEhpubkeyEihostpubmd5EjcrlfileEktlsuserEltlspasswordEmtlsauthtypeEnssl-allow-beastEppinnedpubkeyEPproxy-pinnedpubkeyEqcert-statusErfalse-startEsssl-no-revokeEttcp-fastopenEuproxy-tlsuserEvproxy-tlspasswordEwproxy-tlsauthtypeExproxy-certEyproxy-cert-typeEzproxy-keyE0proxy-key-typeE1proxy-passE2proxy-ciphersE3proxy-crlfileE4proxy-ssl-allow-beastE5login-optionsE6proxy-cacertE7proxy-capathE8proxy-insecureE9proxy-tlsv1EAsocks5-basicEBsocks5-gssapiECetag-saveEDetag-compareffailfafail-earlyfbstyled-outputfcmail-rcpt-allowfailsFformFsform-stringggloboffGgetGarequest-targethhelpHheaderHpproxy-headeriincludeIheadjjunk-session-cookiesJremote-header-namekinsecureKconfigllist-onlyLlocationLtlocation-trustedmmax-timeMmanualnnetrcnonetrc-optionalnenetrc-fileNbufferooutputOremote-nameOaremote-name-allpproxytunnelPftp-portqdisableQquoterrangeRremote-timessilentSshow-errorttelnet-optionTupload-fileuuserUproxy-uservverboseVversionwwrite-outxproxyxapreproxyXrequestYspeed-limityspeed-timeztime-condZparallelZbparallel-maxZcparallel-immediate#progress-bar#mprogress-meternextinvalid number specified for %s
Source: curl.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: curl.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: curl.exe	String found in binary or memory: --false-start
Source: curl.exe	String found in binary or memory: -h, --help
Source: curl.exe	String found in binary or memory: -h, --help
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: Note: Warning: curl: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: Note: Warning: curl: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: teupgradeconnectionkeep-aliveproxy-connectiontransfer-encodingiphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory
Source: curl.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: curl.exe	String found in binary or memory: 8H[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe've already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywayUnable to allocate memory for direct-tcpip connectiondirect-tcpipQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestUnable to complete request for channel-setenvcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF state
Source: curl.exe	String found in binary or memory: id-cmc-addExtensions
Source: curl.exe	String found in binary or memory: set-addPolicy
Source: curl.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: unknown	Process created: C:\Users\user\Desktop\curl.exe 'C:\Users\user\Desktop\curl.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: curl.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: curl.exe

Static file information: File size 3665528 > 1048576

Source: curl.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x29d000

Source: curl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\curl.exe

Code function: 0_2_01008500 push dword ptr [eax+04h]; ret

Source: C:\Users\user\Desktop\curl.exe

API coverage: 3.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: curl.exe, 00000000.00000002.222728767.0000000001687000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\curl.exe

Code function: 0_2_00D7119B SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,_cexit,exit,

Source: C:\Users\user\Desktop\curl.exe

Code function: 0_2_00F41790 cpuid

Source: C:\Users\user\Desktop\curl.exe

Code function: 0_2_01007600 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D87C80 setsockopt,WSAGetLastError,setsockopt,WSAIoctl,WSAGetLastError,_errno,_errno,_errno,strlen,memset,strncmp,strncmp,htons,connect,WSAGetLastError,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,strchr,htons,htons,atoi,
Source: C:\Users\user\Desktop\curl.exe	Code function: 0_2_00D9C6B0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,strlen,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
curl.exe	1%	Virustotal	Browse
curl.exe	3%	Metadefender	Browse
curl.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
http://https://-.://%s%s%s/%s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	curl.exe	false	Avira URL Cloud: safe	low
https://curl.haxx.se/P	curl.exe	false		high
https://curl.haxx.se/docs/sslcerts.htmlcurl	curl.exe	false		high
http://.css	curl.exe	false	Avira URL Cloud: safe	low
https://curl.haxx.se/docs/sslcerts.html	curl.exe	false		high
http://.jpg	curl.exe	false	Avira URL Cloud: safe	low
http://https://-.://%s%s%s/%s	curl.exe	false	Avira URL Cloud: safe	low
https://curl.haxx.se/docs/copyright.htmlD	curl.exe	false		high
https://curl.haxx.se/docs/http-cookies.html	curl.exe	false		high
https://curl.haxx.se/docs/http-cookies.html#	curl.exe	false		high
https://curl.haxx.se/libcurl/c/curl_easy_setopt.html	curl.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	325355
Start date:	01.12.2020
Start time:	16:14:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 28s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	curl.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\curl.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	65
Entropy (8bit):	4.072088490405251
Encrypted:	false
SSDEEP:	3:3JtRMeLIINAJYEC5FIIIisK5Asd4MKLvon:3JtRMeZNBr5bCKrGMKM
MD5:	9866F0FF70F8F7B6F78591AC628AB7DB
SHA1:	41C75CEFDE68B4B9EC243E9E3D97A5E23FCA8220
SHA-256:	7C978C4CC74DB046CDFFF35D4871470CC451D8B413BD7CE18177E573DC4A1A6D
SHA-512:	A85751E9470C715188C5CF00E04846C3B64A6C9AFDF1FC359E8FA7CEEC33F6EB9EDB83F1426C201445087EFDC176F39A09BB1B6786B1D54D6F972A61EE8591EE
Malicious:	false
Reputation:	low
Preview:	curl: try 'curl --help' or 'curl --manual' for more information..

Static File Info

General
File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.630848577570199
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	curl.exe
File size:	3665528
MD5:	8ecf909850cc916a45109959ddeac74b
SHA1:	9b2498aa00af6d900fb35e9d3954752d6ef62e0b
SHA256:	6b3e24c9bd6146941bd2fa653e88a476a11dd3deb296feed1221571490f294b7
SHA512:	a4b466ce2547f95e52131e225ee3a09cd27b662ae59ff1cdc72661917b56105305a4231f80164c7cfe6a998d057b0b52767bb0df468a4966708ecf74474f5c56
SSDEEP:	98304:lY+F4MgiiR68KR8sgg54Et7aELpozAk/7TQN/1HgXi1PHg5Au5CnrkTpomPmA:lY+iMgiiR68hg54Et7aELpozAk/7TQNU
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.h^..............."..)...7..L............)...@...........................8.....'.8...@... .......................6.1..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5E688765 [Wed Mar 11 06:38:29 2020 UTC]
TLS Callbacks:	0x697790, 0x697740
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fbcfa0527c3a6bfc7058cebfb7fda96d

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=curl-for-win Root CA, OU=curl-for-win Root CA, O=curl-for-win
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	8/31/2018 5:18:17 AM 8/30/2021 5:18:17 AM
Subject Chain	CN=curl-for-win Code Signing Authority, OU=curl-for-win Code Signing Authority, O=curl-for-win
Version:	1
Thumbprint MD5:	CC8563168F4109B8BAE721145080CC63
Thumbprint SHA-1:	9246D98702FFFFC7843FC36B1661F1BA3D503F9B
Thumbprint SHA-256:	627746EAC7A2A761C16ECAF9E9D321D0FB17ECA0E31C1CFA165299EDBBB90A78
Serial:	01

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [00768094h], 00000000h
call 00007FC78CA64563h
add esp, 0Ch
jmp 00007FC78C7CE0ABh
lea esi, dword ptr [esi+00000000h]
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FC78CA6A286h
test eax, eax
sete al
add esp, 1Ch
movzx eax, al
neg eax
ret
nop
nop
nop
push edi
push esi
push dword ptr [esp+10h]
push 00000000h
call 00007FC78C7EDDA8h
add esp, 08h
xor esi, esi
test eax, eax
je 00007FC78C7CE442h
mov edi, eax
mov eax, dword ptr [esp+0Ch]
test eax, eax
je 00007FC78C7CE423h
mov ecx, dword ptr [eax+04h]
mov dword ptr [ecx+04h], edi
mov ecx, dword ptr [eax+04h]
mov ecx, dword ptr [ecx+04h]
mov dword ptr [eax+04h], ecx
jmp 00007FC78C7CE425h
push 00000008h
call 00007FC78CA6A165h
add esp, 04h
test eax, eax
je 00007FC78C7CE41Eh
mov dword ptr [eax], edi
mov dword ptr [eax+04h], edi
mov esi, eax
mov eax, esi
pop esi
pop edi
ret
push edi
call 00007FC78C7EDE94h
add esp, 04h
jmp 00007FC78C7CE402h
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
mov eax, dword ptr [esp+04h]
test eax, eax
je 00007FC78C7CE421h
push dword ptr [eax]
call 00007FC78C7EDE76h
add esp, 04h
jmp 00007FC78CA6A176h
ret
nop
nop
nop
nop
push dword ptr [esp+04h]
call 00007FC78CA69F8Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x369000	0x31	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a000	0x1f30	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36e000	0x758	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x37e000	0xe78	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36f000	0x1813c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x362698	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36a53c	0x488	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29c42c	0x29d000	unknown	unknown	unknown	unknown	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.data	0x29e000	0x3d1c	0x3e00	False	0.252646169355	data	3.32974315191	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rdata	0x2a2000	0xc11e8	0xc1200	False	0.500654834142	data	6.53042939968	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.bss	0x364000	0x4be0	0x0	False	0	empty	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.edata	0x369000	0x31	0x200	False	0.08203125	data	0.45198680657	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.idata	0x36a000	0x1f30	0x2000	False	0.365478515625	data	5.39355870015	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.CRT	0x36c000	0x34	0x200	False	0.07421875	data	0.273546138354	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.tls	0x36d000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.rsrc	0x36e000	0x758	0x800	False	0.443359375	data	4.39372645642	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
.reloc	0x36f000	0x1813c	0x18200	False	0.521099821891	data	6.57073502873	IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x36e0a0	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0x36e430	0x325	XML 1.0 document, ASCII text, with very long lines, with no line terminators

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptAcquireContextW, CryptCreateHash, CryptDestroyHash, CryptGenRandom, CryptGetHashParam, CryptHashData, CryptReleaseContext, DeregisterEventSource, RegisterEventSourceW, ReportEventW
CRYPT32.dll	CertAddCertificateContextToStore, CertCloseStore, CertCreateCertificateChainEngine, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFindExtension, CertFreeCertificateChain, CertFreeCertificateChainEngine, CertFreeCertificateContext, CertGetCertificateChain, CertGetNameStringA, CertOpenStore, CryptDecodeObjectEx, CryptQueryObject, CryptStringToBinaryA
KERNEL32.dll	CloseHandle, ConvertFiberToThread, ConvertThreadToFiber, CreateFiber, CreateFileA, CreateFileMappingA, CreateToolhelp32Snapshot, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, FindClose, FindFirstFileW, FindNextFileW, FormatMessageA, FormatMessageW, FreeLibrary, GetConsoleMode, GetConsoleScreenBufferInfo, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentVariableA, GetEnvironmentVariableW, GetFileSizeEx, GetFileTime, GetFileType, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemTime, GetSystemTimeAsFileTime, GetTickCount, GetTimeZoneInformation, GetVersion, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MapViewOfFile, Module32First, Module32Next, MoveFileExA, MultiByteToWideChar, PeekNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleA, ReadConsoleW, ReadFile, SearchPathA, SetConsoleMode, SetEndOfFile, SetFileTime, SetLastError, SetUnhandledExceptionFilter, Sleep, SleepEx, SwitchToFiber, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnmapViewOfFile, VerSetConditionMask, VerifyVersionInfoA, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile
msvcrt.dll	__getmainargs, __initenv, __lconv_init, __p__acmdln, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _chmod, _errno, _exit, _fileno, _fstati64, _get_osfhandle, _getpid, _initterm, _iob, _lseeki64, _onexit, _setmode, _snwprintf, _vsnwprintf, _stati64, _strdup, _stricmp, _strnicmp, _strtoi64, _sys_nerr, _vsnprintf, _wfopen, abort, atoi, calloc, clearerr, exit, fclose, feof, ferror, fflush, fgets, fopen, fprintf, fputc, fputs, fread, free, fseek, ftell, fwrite, getc, getenv, islower, isprint, isspace, isupper, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, localtime, gmtime, difftime, printf, putchar, puts, qsort, raise, realloc, rename, rewind, setbuf, setlocale, setvbuf, signal, sprintf, sscanf, strcat, strchr, strcmp, strcpy, strcspn, strerror, strlen, strncmp, strncpy, strpbrk, strrchr, strspn, strstr, strtok, strtol, strtoul, tolower, vfprintf, time, wcscpy, wcslen, wcsstr, _stat, _fstat, _write, _unlink, _strdup, _setmode, _read, _open, _mkdir, _isatty, _getch, _fileno, _close, _access
Normaliz.dll	IdnToAscii, IdnToUnicode
USER32.dll	FindWindowA, GetProcessWindowStation, GetUserObjectInformationW, MessageBoxW, SendMessageA
wldap32.dll	ber_free, ldap_bind_s, ldap_err2string, ldap_first_attribute, ldap_first_entry, ldap_get_dn, ldap_get_values_len, ldap_init, ldap_memfree, ldap_msgfree, ldap_next_attribute, ldap_next_entry, ldap_search_s, ldap_set_option, ldap_simple_bind_s, ldap_sslinit, ldap_unbind_s, ldap_value_free_len
WS2_32.dll	WSACleanup, WSAGetLastError, WSAIoctl, WSASetLastError, WSAStartup, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyname, gethostname, getnameinfo, getpeername, getsockname, getsockopt, htonl, htons, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket

Version Infos

Description	Data
LegalCopyright	1996 - 2020 Daniel Stenberg, <daniel@haxx.se>.
InternalName	curl
FileVersion	7.69.1
License	https://curl.haxx.se/docs/copyright.html
CompanyName	curl, https://curl.haxx.se/
ProductName	The curl executable
ProductVersion	7.69.1
FileDescription	The curl executable
OriginalFilename	curl.exe
Translation	0x0409 0x04b0

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• curl.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: curl.exe PID: 3476 Parent PID: 5752

General

Start time:	16:14:58
Start date:	01/12/2020
Path:	C:\Users\user\Desktop\curl.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\curl.exe'
Imagebase:	0xd70000
File size:	3665528 bytes
MD5 hash:	8ECF909850CC916A45109959DDEAC74B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Analysis Process: conhost.exe PID: 5860 Parent PID: 3476

General

Start time:	16:14:58
Start date:	01/12/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report curl.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Cryptography:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: curl.exe PID: 3476 Parent PID: 5752

General

File Activities

File Created

File Written

Analysis Process: conhost.exe PID: 5860 Parent PID: 3476

General

Disassembly

Code Analysis