Windows Analysis Report
curl.exe

ID:	564852
Product:	CloudBasic
Start time:	14:21:03
Start date:	02.02.2022
Sample:	curl.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	104023cef829fce3e34bf1514daff629
SHA1:	b6e7b949109298ec7ff1aa64404a859b5b41ccae
SHA256:	15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Name	Type	MD5	SHA1	SHA256
\Device\ConDrv	ASCII text, with CR, LF line terminators	9866F0FF70F8F7B6F78591AC628AB7DB	41C75CEFDE68B4B9EC243E9E3D97A5E23FCA8220	7C978C4CC74DB046CDFFF35D4871470CC451D8B413BD7CE18177E573DC4A1A6D

Cryptography

Source: curl.exe, 00000000.00000002.662180702.00007FF6EC2C9000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance

Source: curl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Networking

Source: curl.exe, 00000000.00000002.662180702.00007FF6EC2C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe, 00000000.00000002.662180702.00007FF6EC2C9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: pkcs11::\Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: curl.exe	String found in binary or memory: pkcs11::\Usage: curl [options...] <url>

Source: curl.exe	String found in binary or memory: http://.css
Source: curl.exe	String found in binary or memory: http://.jpg
Source: curl.exe	String found in binary or memory: http://html4/loose.dtd
Source: curl.exe	String found in binary or memory: http://https://-.://%s%s%s/%s
Source: curl.exe	String found in binary or memory: https://curl.se/P
Source: curl.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: curl.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: curl.exe	String found in binary or memory: https://curl.se/docs/sslcerts.html
Source: curl.exe	String found in binary or memory: https://curl.se/libcurl/c/curl_easy_setopt.html

System Summary

Source: curl.exe

Static PE information: invalid certificate

Source: curl.exe

Static PE information: Number of sections : 12 > 10

Source: curl.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\curl.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: curl.exe	String found in binary or memory: dns-ipv4-addr
Source: curl.exe	String found in binary or memory: dns-ipv6-addr
Source: curl.exe	String found in binary or memory: false-start
Source: curl.exe	String found in binary or memory: Use "--help category" to get an overview of all categories.
Source: curl.exe	String found in binary or memory: Use "--help category" to get an overview of all categories.
Source: curl.exe	String found in binary or memory: For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: For all options use the manual or "--help all".
Source: curl.exe	String found in binary or memory: *@url*4dns-ipv4-addr*6dns-ipv6-addr*arandom-file*begd-file*Boauth2-bearer*cconnect-timeout*Cdoh-url*dciphers*Ddns-interface*edisable-epsv*fdisallow-username-in-url*Eepsv*Fdns-servers*gtrace*Gnpn*htrace-ascii*Halpn*ilimit-rate*jcompressed*Jtr-encoding*kdigest*lnegotiate*mntlm*Mntlm-wb*nbasic*oanyauth*qftp-create-dirs*rcreate-dirs*Rcreate-file-mode*smax-redirs*tproxy-ntlm*ucrlf*vstderr*Vaws-sigv4*winterface*xkrbkrb4*Xhaproxy-protocol*y*zdisable-eprt*Zeprt*~xattr$aftp-sslssl$bftp-pasv$csocks5$dtcp-nodelay$eproxy-digest$fproxy-basic$gretry$Vretry-connrefused$hretry-delay$iretry-max-time$kproxy-negotiate$lform-escape$mftp-account$nproxy-anyauth$otrace-time$pignore-content-length$qftp-skip-pasv-ip$rftp-method$slocal-port$tsocks4$Tsocks4a$uftp-alternative-to-user$vftp-ssl-reqdssl-reqd$wsessionid$xftp-ssl-control$yftp-ssl-ccc$jftp-ssl-ccc-mode$zlibcurl$#raw$0post301$1keepalive$2socks5-hostname$3keepalive-time$4post302$5noproxy$7socks5-gssapi-nec$8proxy1.0$9tftp-blksize$Amail-from$Bmail-rcpt$Cftp-pret$Dproto$Eproto-redir$Fresolve$Gdelegation$Hmail-auth$Ipost303$Jmetalink$6sasl-authzid$Ksasl-ir$Ltest-event$Munix-socket$Npath-as-is$Osocks5-gssapi-serviceproxy-service-name$Pservice-name$Qproto-default$Rexpect100-timeout$Stftp-no-options$Uconnect-to$Wabstract-unix-socket$Xtls-max$Ysuppress-connect-headers$Zcompressed-ssh$~happy-eyeballs-timeout-ms$!retry-all-errors0http1.001http1.102http203http2-prior-knowledge04http309http0.91tlsv110tlsv1.011tlsv1.112tlsv1.213tlsv1.31Atls13-ciphers1Bproxy-tls13-ciphers2sslv23sslv34ipv46ipv6aappendAuser-agentbcookiebaalt-svcbbhstsBuse-asciiccookie-jarCcontinue-atddatadrdata-rawdadata-asciidbdata-binarydedata-urlencodeDdump-headererefererEcertEacacertEbcert-typeEckeyEdkey-typeEepassEfengineEgcapathEhpubkeyEihostpubmd5EFhostpubsha256EjcrlfileEktlsuserEltlspasswordEmtlsauthtypeEnssl-allow-beastEossl-auto-client-certEOproxy-ssl-auto-client-certEppinnedpubkeyEPproxy-pinnedpubkeyEqcert-statusEQdoh-cert-statusErfalse-startEsssl-no-revokeESssl-revoke-best-effortEttcp-fastopenEuproxy-tlsuserEvproxy-tlspasswordEwproxy-tlsauthtypeExproxy-certEyproxy-cert-typeEzproxy-keyE0proxy-key-typeE1proxy-passE2proxy-ciphersE3proxy-crlfileE4proxy-ssl-allow-beastE5login-optionsE6proxy-cacertE7proxy-capathE8proxy-insecureE9proxy-tlsv1EAsocks5-basicEBsocks5-gssapiECetag-saveEDetag-compareEEcurvesffailfafail-earlyfbstyled-outputfcmail-rcpt-allowfailsfdfail-with-bodyFformFsform-stringggloboffGgetGarequest-targethhelpHheaderHpproxy-headeriincludeIheadjjunk-session-cookiesJremote-header-namekinsecurekddoh-insecureKconfigllist-onlyLlocationLtlocation-trustedmmax-timeMmanualnnetrcnonetrc-optionalnenetrc-fileNbufferooutputOremote-nameOaremote-name-allOboutput-dirpproxytunnelPftp-portqdisableQquoterrangeRremote-timessilentSshow-errorttelnet-optionTupload-fileuuserUproxy-uservverboseVversionwwrite-outxproxyxapreproxyXrequestYspeed-limityspeed-timeztime-condZparallelZbparallel-maxZcparallel-immediate#progress-bar#mprogress-meternextinvalid number specified for %
Source: curl.exe	String found in binary or memory: *@url*4dns-ipv4-addr*6dns-ipv6-addr*arandom-file*begd-file*Boauth2-bearer*cconnect-timeout*Cdoh-url*dciphers*Ddns-interface*edisable-epsv*fdisallow-username-in-url*Eepsv*Fdns-servers*gtrace*Gnpn*htrace-ascii*Halpn*ilimit-rate*jcompressed*Jtr-encoding*kdigest*lnegotiate*mntlm*Mntlm-wb*nbasic*oanyauth*qftp-create-dirs*rcreate-dirs*Rcreate-file-mode*smax-redirs*tproxy-ntlm*ucrlf*vstderr*Vaws-sigv4*winterface*xkrbkrb4*Xhaproxy-protocol*y*zdisable-eprt*Zeprt*~xattr$aftp-sslssl$bftp-pasv$csocks5$dtcp-nodelay$eproxy-digest$fproxy-basic$gretry$Vretry-connrefused$hretry-delay$iretry-max-time$kproxy-negotiate$lform-escape$mftp-account$nproxy-anyauth$otrace-time$pignore-content-length$qftp-skip-pasv-ip$rftp-method$slocal-port$tsocks4$Tsocks4a$uftp-alternative-to-user$vftp-ssl-reqdssl-reqd$wsessionid$xftp-ssl-control$yftp-ssl-ccc$jftp-ssl-ccc-mode$zlibcurl$#raw$0post301$1keepalive$2socks5-hostname$3keepalive-time$4post302$5noproxy$7socks5-gssapi-nec$8proxy1.0$9tftp-blksize$Amail-from$Bmail-rcpt$Cftp-pret$Dproto$Eproto-redir$Fresolve$Gdelegation$Hmail-auth$Ipost303$Jmetalink$6sasl-authzid$Ksasl-ir$Ltest-event$Munix-socket$Npath-as-is$Osocks5-gssapi-serviceproxy-service-name$Pservice-name$Qproto-default$Rexpect100-timeout$Stftp-no-options$Uconnect-to$Wabstract-unix-socket$Xtls-max$Ysuppress-connect-headers$Zcompressed-ssh$~happy-eyeballs-timeout-ms$!retry-all-errors0http1.001http1.102http203http2-prior-knowledge04http309http0.91tlsv110tlsv1.011tlsv1.112tlsv1.213tlsv1.31Atls13-ciphers1Bproxy-tls13-ciphers2sslv23sslv34ipv46ipv6aappendAuser-agentbcookiebaalt-svcbbhstsBuse-asciiccookie-jarCcontinue-atddatadrdata-rawdadata-asciidbdata-binarydedata-urlencodeDdump-headererefererEcertEacacertEbcert-typeEckeyEdkey-typeEepassEfengineEgcapathEhpubkeyEihostpubmd5EFhostpubsha256EjcrlfileEktlsuserEltlspasswordEmtlsauthtypeEnssl-allow-beastEossl-auto-client-certEOproxy-ssl-auto-client-certEppinnedpubkeyEPproxy-pinnedpubkeyEqcert-statusEQdoh-cert-statusErfalse-startEsssl-no-revokeESssl-revoke-best-effortEttcp-fastopenEuproxy-tlsuserEvproxy-tlspasswordEwproxy-tlsauthtypeExproxy-certEyproxy-cert-typeEzproxy-keyE0proxy-key-typeE1proxy-passE2proxy-ciphersE3proxy-crlfileE4proxy-ssl-allow-beastE5login-optionsE6proxy-cacertE7proxy-capathE8proxy-insecureE9proxy-tlsv1EAsocks5-basicEBsocks5-gssapiECetag-saveEDetag-compareEEcurvesffailfafail-earlyfbstyled-outputfcmail-rcpt-allowfailsfdfail-with-bodyFformFsform-stringggloboffGgetGarequest-targethhelpHheaderHpproxy-headeriincludeIheadjjunk-session-cookiesJremote-header-namekinsecurekddoh-insecureKconfigllist-onlyLlocationLtlocation-trustedmmax-timeMmanualnnetrcnonetrc-optionalnenetrc-fileNbufferooutputOremote-nameOaremote-name-allOboutput-dirpproxytunnelPftp-portqdisableQquoterrangeRremote-timessilentSshow-errorttelnet-optionTupload-fileuuserUproxy-uservverboseVversionwwrite-outxproxyxapreproxyXrequestYspeed-limityspeed-timeztime-condZparallelZbparallel-maxZcparallel-immediate#progress-bar#mprogress-meternextinvalid number specified for %
Source: curl.exe	String found in binary or memory: For all options use the manual or "--help all".allcategoryInvalid category provided, here is a list of all categories:
Source: curl.exe	String found in binary or memory: For all options use the manual or "--help all".allcategoryInvalid category provided, here is a list of all categories:
Source: curl.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: curl.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: curl.exe	String found in binary or memory: --false-start
Source: curl.exe	String found in binary or memory: -h, --help <category>
Source: curl.exe	String found in binary or memory: -h, --help <category>
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: Note: Warning: curl: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: Note: Warning: curl: curl: try 'curl --help' or 'curl --manual' for more information
Source: curl.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryMoving trailers state machine from initialized to sending.operation aborted by trailing headers callbackSuccessfully compiled trailers.operation aborted by callbackRead callback asked for PAUSE when not supported!read function returned funny value
Source: curl.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: curl.exe	String found in binary or memory: [\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe've already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywayUnable to allocate memory for direct-tcpip connectiondirect-tcpipQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF state
Source: curl.exe	String found in binary or memory: id-cmc-addExtensions
Source: curl.exe	String found in binary or memory: set-addPolicy
Source: curl.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: classification engine

Classification label: clean2.winEXE@2/1@0/0

Source: unknown	Process created: C:\Users\user\Desktop\curl.exe "C:\Users\user\Desktop\curl.exe"
Source: C:\Users\user\Desktop\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_01

Source: curl.exe

Static file information: File size 5499464 > 1048576

Source: curl.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: curl.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: curl.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3a1000
Source: curl.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x150800

Source: curl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation

Source: curl.exe

Static PE information: section name: .xdata

Malware Analysis System Evasion

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: curl.exe, 00000000.00000002.660514752.00000263D2F48000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected