Windows Analysis Report
5Uvn8Uyob8.exe

Overview

General Information

Sample name: 5Uvn8Uyob8.exe
renamed because original name is a hash value
Original sample name: 32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589.exe
Analysis ID: 1502167
MD5: db0bcc378f0895c40ad9bd5f9f7f0b11
SHA1: 70f09e0bc1ecc343ef963fc40e3371162091cee5
SHA256: 32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589
Tags: 119-45-147-28exe
Infos:

Detection

CobaltStrike, Metasploit
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"}
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"}
Multi AV Scanner detection for submitted file
Source: 5Uvn8Uyob8.exe ReversingLabs: Detection: 31%
Source: 5Uvn8Uyob8.exe Virustotal: Detection: 32% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability
Source: 5Uvn8Uyob8.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872ED440 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF6872ED440
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872ED2BC FindFirstFileExW, 0_2_00007FF6872ED2BC

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://119.45.147.28:443/jquery-3.3.2.slim.min.js
Source: Malware configuration extractor URLs: http://119.45.147.28/jquery-3.3.2.slim.min.js
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 119.45.147.28:443
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.jquery.com/
Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.jquery.com/Rs
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDABB000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/
Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/F
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/e
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsM
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsY
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsd4_
Source: 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsi
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDABB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsm:
Source: 5Uvn8Uyob8.exe, 00000000.00000003.2349419346.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsu
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/query-3.3.2.slim.min.js1
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/su
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E4F60 NtDelayExecution, 0_2_00007FF6872E4F60
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E549A NtAllocateVirtualMemory,NtProtectVirtualMemory,CreateFiber, 0_2_00007FF6872E549A
Detected potential crypto function
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872F3F98 0_2_00007FF6872F3F98
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872ED440 0_2_00007FF6872ED440
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E82B4 0_2_00007FF6872E82B4
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872ED2BC 0_2_00007FF6872ED2BC
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_0000021DEDA7010C 0_2_0000021DEDA7010C
PE / OLE file has an invalid certificate
Source: 5Uvn8Uyob8.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: 5Uvn8Uyob8.exe Binary or memory string: OriginalFilename vs 5Uvn8Uyob8.exe
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2956288285.00007FF687308000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsedge.exe> vs 5Uvn8Uyob8.exe
Source: 5Uvn8Uyob8.exe Binary or memory string: OriginalFilenamemsedge.exe> vs 5Uvn8Uyob8.exe
Yara signature match
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: classification engine Classification label: mal88.troj.winEXE@2/0@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: 5Uvn8Uyob8.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5Uvn8Uyob8.exe ReversingLabs: Detection: 31%
Source: 5Uvn8Uyob8.exe Virustotal: Detection: 32%
Source: unknown Process created: C:\Users\user\Desktop\5Uvn8Uyob8.exe "C:\Users\user\Desktop\5Uvn8Uyob8.exe"
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: 5Uvn8Uyob8.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: 5Uvn8Uyob8.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 5Uvn8Uyob8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5Uvn8Uyob8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5Uvn8Uyob8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5Uvn8Uyob8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5Uvn8Uyob8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: 5Uvn8Uyob8.exe Static PE information: section name: .00cfg
Source: 5Uvn8Uyob8.exe Static PE information: section name: .gxfg
Source: 5Uvn8Uyob8.exe Static PE information: section name: .retplne
Source: 5Uvn8Uyob8.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_0000021DEDA7012B push eax; ret 0_2_0000021DEDA70387
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_0000021DEDA7010C push eax; ret 0_2_0000021DEDA70387
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe API coverage: 7.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe TID: 7500 Thread sleep time: -30000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872ED440 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF6872ED440
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872ED2BC FindFirstFileExW, 0_2_00007FF6872ED2BC
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E4BF0 GetSystemInfo, 0_2_00007FF6872E4BF0
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2349419346.0000021DEDB2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 5Uvn8Uyob8.exe, 00000000.00000002.2955991151.0000021DEDAF0000.00000004.00000020.00020000.00000000.sdmp, 5Uvn8Uyob8.exe, 00000000.00000003.2028666595.0000021DEDAF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@j
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872EAEA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6872EAEA8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E97E4 GetProcessHeap, 0_2_00007FF6872E97E4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872EAEA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6872EAEA8
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E5F18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6872E5F18
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E65A4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6872E65A4
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E6594 SetUnhandledExceptionFilter, 0_2_00007FF6872E6594
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Memory allocated: page read and write | page guard Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872F3DB0 cpuid 0_2_00007FF6872F3DB0
Source: C:\Users\user\Desktop\5Uvn8Uyob8.exe Code function: 0_2_00007FF6872E8C8C GetSystemTimeAsFileTime, 0_2_00007FF6872E8C8C

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Yara detected Metasploit Payload
Source: Yara match File source: 00000000.00000002.2955965491.0000021DEDA70000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2955823037.0000002214F2C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502167 Sample: 5Uvn8Uyob8.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 88 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 4 other signatures 2->19 6 5Uvn8Uyob8.exe 7 2->6         started        process3 dnsIp4 11 119.45.147.28, 443, 49730, 49737 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 6->11 9 conhost.exe 6->9         started        process5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
119.45.147.28
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://119.45.147.28/jquery-3.3.2.slim.min.js true
  • Avira URL Cloud: safe
 unknown
http://119.45.147.28:443/jquery-3.3.2.slim.min.js true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown