Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe
Analysis ID:	472792
MD5:	af935ea48e33924f8d68a22a96ac811c
SHA1:	c0bf9094820c3fa33529ce90933018361c11aa37
SHA256:	f4914c162f5064fcfe9012ffa8a93972a1cd268bcaee0a7d2346b8757f553d2a
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Uses 32bit PE files

PE file does not import any functions

One or more processes crash

PE file contains an invalid checksum

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe (PID: 4728 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe' MD5: AF935EA48E33924F8D68A22A96AC811C)

WerFault.exe (PID: 6704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 212 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Virustotal: Detection: 8%

Perma Link

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

String found in binary or memory: http://www.clamav.net

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 212

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_0040A0C0	1_2_0040A0C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_00420183	1_2_00420183
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_0043599F	1_2_0043599F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_0042DA74	1_2_0042DA74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_0044220C	1_2_0044220C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_00412B40	1_2_00412B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_0040DCD0	1_2_0040DCD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_0042AC83	1_2_0042AC83
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_0041AD65	1_2_0041AD65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_0042BDF6	1_2_0042BDF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_00413680	1_2_00413680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_00438779	1_2_00438779
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Code function: 1_2_00437FFD	1_2_00437FFD

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Virustotal: Detection: 8%

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF798.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal52.winEXE@2/4@0/0

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 212

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4728

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000006.00000003.658112200.0000000005301000.00000004.00000001.sdmp

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Static PE information: real checksum: 0xd7da6 should be: 0xd8a39

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Process queried: DebugPort

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Code function: 1_2_00427254 cpuid

1_2_00427254

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection2	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection2	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	9%	Virustotal		Browse
SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.1.SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	472792
Start date:	27.08.2021
Start time:	13:10:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.winEXE@2/4@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.182.143.212, 20.50.102.62, 20.54.7.98, 20.54.104.15, 40.112.88.60, 23.0.174.200, 23.0.174.185, 20.82.209.183, 23.10.249.26, 23.10.249.43 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_SecuriteInfo.com_168bd1e83f1cee92ce9f93e589bb9d763a0bc6a_fc729859_1b2a0a26\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8404
Entropy (8bit):	3.763144392956556
Encrypted:	false
SSDEEP:	96:jYj8g+9llKhMyoI7Jf0pXIQcQvc6QcEDMcw3DL+HbHg0c/NZAXGng5FMTPSkvPkb:EfM/HBUZMXojh/u7seS274ItUL
MD5:	21D1B72BC227A436759C3FDAD65C30A2
SHA1:	36A715DDCD14B38F2130FB60F83199E3E4D24323
SHA-256:	B4695E037228AC8714AC1DC743F45E77D7B138C35CCC8A78EFA2C3AC1F93B8B7
SHA-512:	62BAF73B04D24208F250518959ED7E09D9E69CBC1884FAAC6E838C510835599E5744F67EEE492F2C47550A9A03E726D2ECF594BF22D6E81E323E64886EAC3E3B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.4.5.3.6.2.6.9.2.1.2.3.7.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.4.5.3.6.2.7.2.3.6.8.6.2.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.b.b.7.5.f.e.-.3.6.c.6.-.4.1.2.b.-.8.7.6.2.-.d.d.a.e.c.f.f.2.3.d.7.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.0.b.b.4.0.5.-.4.c.4.f.-.4.e.0.5.-.a.2.2.f.-.1.4.8.3.7.8.4.3.9.d.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...W.i.n.3.2...S.a.b.s.i.k...F.L...B.m.l...1.5.6.0.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.7.8.-.0.0.0.1.-.0.0.1.b.-.f.9.8.f.-.6.e.3.a.3.4.9.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.e.d.b.c.2.d.0.6.0.2.2.6.6.c.8.e.5.2.5.5.b.6.0.0.f.d.a.6.1.e.5.0.0.0.0.f.f.f.f.!.0.0.0.0.c.0.b.f.9.0.9.4.8.2.0.c.3.f.a.3.3.5.2.9.c.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF798.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 27 11:11:09 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	18062
Entropy (8bit):	2.216233575143679
Encrypted:	false
SSDEEP:	192:l8uQKexQMLv62ojuMrg3tFOO0iqNRmh6rut4EAI:WuQ1yMLStjuP9FV0lrruZl
MD5:	D8C497D156E7E80B77E779D0A90D367C
SHA1:	EE638B11CCD228AB587A02F3CB836630D3596073
SHA-256:	B9C15B0B3565E4DCBA40600300F09A3EF9DE739B3050DD9B793006DC96421B3B
SHA-512:	D08659D60560DBBA0433CB5215151B3A024DA200AF9AC801B933AB2DF91503FD0D32CA6E7B0FED2FA355C9F3C0E8B50D58233A3D9862DF4AF1575786F3D613C8
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......M.(a...................U...........B..............GenuineIntelW...........T.......x...I.(a.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF92F.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8476
Entropy (8bit):	3.710582107876963
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiv+6YC6YrrSUD3Lgmf11ST+prj89bvnsfvFm:RrlsNiG6YC6YXSUD3LgmfnSTvsfA
MD5:	617EFBB19D63CA339B4C2CC6733365C2
SHA1:	02C5650018A35ED42C848BDB9417F8093C60E1FC
SHA-256:	95D9259D1BBCE9AE1D8CA591011AFA7BA85F23A1C79E4554CAD0808632801363
SHA-512:	DA057F5FE5C3AAFEAD38939F3566D2785142AA4937DA4B64A579AE247ED46CE4A11830E11E632C9A4F27A60BEC035AB04F1EC952264E66A030FCCC8CDA54FF4A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC1E.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4802
Entropy (8bit):	4.5885317853324175
Encrypted:	false
SSDEEP:	48:cvIwSD8zsfJgtWI9aUWSC8Bx8fm8M4JkjZFQ+q8+zAknbtw3+aad:uITfBdNSN4JKcFAknby3+aad
MD5:	15A03407014BA1DB2557AE6BDA08D838
SHA1:	8BFCAD77EC44FE1C4DC48F6732A67D77F2D42D83
SHA-256:	28B4ED6C6F6DC3462E71034651E0A06704EF951FE8ECCEF08E6B8AA84B713F5D
SHA-512:	8AF25B854718F74C6CDD8601B7789DDD6C8D97291056AA3BB2E086E2AFB2646AEAA2BDD0A3C4496BCF823887DE8B40768FF72A9F96B7444BAFB4C2435BBA0769
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1140261" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.043034552951079
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe
File size:	880640
MD5:	af935ea48e33924f8d68a22a96ac811c
SHA1:	c0bf9094820c3fa33529ce90933018361c11aa37
SHA256:	f4914c162f5064fcfe9012ffa8a93972a1cd268bcaee0a7d2346b8757f553d2a
SHA512:	4e6c91d344b7acaa72dafc235acecec4ce94955c1485f55b90cb153e0986332238175aa2a970364296f0ab2cdd807b40460ab7c7967fffc2b5b46e77bdbd4d22
SSDEEP:	12288:P1auaKKCWWWqG/iOG/IukoySsOkCZYYHSO69ciGIt7fWd:P1auaKT/eZSTYzzKipc
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.........."..........N.......k.....

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x426bf7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Entrypoint Preview

Instruction
call 00007EFE4437A7A6h
jmp 00007EFF3166A6A6h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007EFEB50CA49Ah
cmp edi, eax
jc 00007EFEB50CA7FEh
bt dword ptr [58F10B00h], 01h
jnc 00007EFEB50CA499h
rep movsb
jmp 00007EFF096BA6A6h
cmp ecx, 00000080h
jc 00007EFEB50CA664h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007EFEB50CA4A0h
bt dword ptr [70930B00h], 01h
jc 00007EFEB50CA970h
bt dword ptr [58F10B00h], 00000000h
jnc 00007EFEB50CA63Dh
test edi, 00000003h
jne 00007EFEB50CA64Eh
test esi, 00000003h
jne 00007EFEB50CA62Dh
bt edi, 02h
jnc 00007EFEB50CA49Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007EFEB50CA4A3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007EFEB50CA4F5h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb6b6c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x7ccc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0x6c20	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2770	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x858	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8c000	0x8c000	False	0.522706821987	data	6.69461529259	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2d000	0x2d000	False	0.289930555556	data	5.35000817466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0xa000	0xa000	False	0.105078125	data	1.30461627365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x8000	0x8000	False	0.0670471191406	data	1.20884935027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xb000	0xb000	False	0.00148703835227	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2021 13:11:01.262397051 CEST	65298	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:01.295847893 CEST	53	65298	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:13.803761959 CEST	59123	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:13.825015068 CEST	53	59123	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:32.095745087 CEST	54531	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:32.138418913 CEST	53	54531	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:47.963325024 CEST	49714	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:48.170144081 CEST	53	49714	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:48.631480932 CEST	58028	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:48.734786034 CEST	53	58028	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:48.893383026 CEST	53097	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:48.934973955 CEST	53	53097	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:49.180206060 CEST	49257	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:49.335315943 CEST	53	49257	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:49.693980932 CEST	62389	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:49.715853930 CEST	53	62389	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:50.166816950 CEST	49910	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:50.187283993 CEST	53	49910	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:50.567831993 CEST	55854	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:50.588860989 CEST	53	55854	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:51.346745968 CEST	64549	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:51.368148088 CEST	53	64549	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:52.418809891 CEST	63153	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:52.440622091 CEST	53	63153	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:53.058739901 CEST	52991	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:53.199769020 CEST	53	52991	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:53.566437960 CEST	53700	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:53.587783098 CEST	53	53700	8.8.8.8	192.168.2.4
Aug 27, 2021 13:11:54.325922012 CEST	51726	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:11:54.347434044 CEST	53	51726	8.8.8.8	192.168.2.4
Aug 27, 2021 13:12:06.759242058 CEST	56794	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:12:06.781745911 CEST	56534	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:12:06.794132948 CEST	53	56794	8.8.8.8	192.168.2.4
Aug 27, 2021 13:12:06.816361904 CEST	53	56534	8.8.8.8	192.168.2.4
Aug 27, 2021 13:12:10.175153971 CEST	56627	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:12:10.209116936 CEST	53	56627	8.8.8.8	192.168.2.4
Aug 27, 2021 13:12:40.543097019 CEST	56621	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:12:40.565319061 CEST	53	56621	8.8.8.8	192.168.2.4
Aug 27, 2021 13:12:42.203593016 CEST	63116	53	192.168.2.4	8.8.8.8
Aug 27, 2021 13:12:42.237476110 CEST	53	63116	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

• SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe
• WerFault.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe PID: 4728 Parent PID: 5968

Function Logs

General

Start time:	13:11:05
Start date:	27/08/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe'
Imagebase:	0x400000
File size:	880640 bytes
MD5 hash:	AF935EA48E33924F8D68A22A96AC811C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	13:11:07
Start date:	27/08/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 212
Imagebase:	0xf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.15603.exe PID: 4728 Parent PID: 5968

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried