Windows
Analysis Report
5Uvn8Uyob8.exe
Overview
General Information
Sample name: | 5Uvn8Uyob8.exerenamed because original name is a hash value |
Original sample name: | 32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589.exe |
Analysis ID: | 1502167 |
MD5: | db0bcc378f0895c40ad9bd5f9f7f0b11 |
SHA1: | 70f09e0bc1ecc343ef963fc40e3371162091cee5 |
SHA256: | 32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589 |
Tags: | 119-45-147-28exe |
Infos: | |
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- 5Uvn8Uyob8.exe (PID: 7496 cmdline:
"C:\Users\ user\Deskt op\5Uvn8Uy ob8.exe" MD5: DB0BCC378F0895C40AD9BD5F9F7F0B11) - conhost.exe (PID: 7504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Cobalt Strike, CobaltStrike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
{"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"}
{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_CobaltStrike_3 | Yara detected CobaltStrike | Joe Security | ||
Windows_Trojan_Metasploit_7bc0f998 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
| |
Windows_Trojan_Metasploit_c9773203 | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Click to see the 3 entries |
Timestamp: | 2024-08-31T11:46:33.050339+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49730 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-31T11:47:37.191366+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49739 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-31T11:47:05.128391+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49737 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Timestamp: | 2024-08-31T11:45:55.503206+0200 |
SID: | 2028765 |
Severity: | 3 |
Source Port: | 49740 |
Destination Port: | 443 |
Protocol: | TCP |
Classtype: | Unknown Traffic |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF6872ED440 | |
Source: | Code function: | 0_2_00007FF6872ED2BC |
Networking |
---|
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FF6872E4F60 | |
Source: | Code function: | 0_2_00007FF6872E549A |
Source: | Code function: | 0_2_00007FF6872F3F98 | |
Source: | Code function: | 0_2_00007FF6872ED440 | |
Source: | Code function: | 0_2_00007FF6872E82B4 | |
Source: | Code function: | 0_2_00007FF6872ED2BC | |
Source: | Code function: | 0_2_0000021DEDA7010C |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_0000021DEDA70387 | |
Source: | Code function: | 0_2_0000021DEDA70387 |
Source: | API coverage: |
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | Code function: | 0_2_00007FF6872ED440 | |
Source: | Code function: | 0_2_00007FF6872ED2BC |
Source: | Code function: | 0_2_00007FF6872E4BF0 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_00007FF6872EAEA8 |
Source: | Code function: | 0_2_00007FF6872E97E4 |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Code function: | 0_2_00007FF6872EAEA8 | |
Source: | Code function: | 0_2_00007FF6872E5F18 | |
Source: | Code function: | 0_2_00007FF6872E65A4 | |
Source: | Code function: | 0_2_00007FF6872E6594 |
Source: | Memory allocated: | Jump to behavior |
Source: | Code function: | 0_2_00007FF6872F3DB0 |
Source: | Code function: | 0_2_00007FF6872E8C8C |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 12 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Disable or Modify Tools | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 11 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | 13 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | ReversingLabs | Win64.Backdoor.Cobeacon | ||
33% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
1% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
2% | Virustotal | Browse |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
true |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
119.45.147.28 | unknown | China | 45090 | CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1502167 |
Start date and time: | 2024-08-31 11:45:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 50s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 5Uvn8Uyob8.exerenamed because original name is a hash value |
Original Sample Name: | 32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589.exe |
Detection: | MAL |
Classification: | mal88.troj.winEXE@2/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
Time | Type | Description |
---|---|---|
05:45:59 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | CobaltStrike, Metasploit | Browse |
|
File type: | |
Entropy (8bit): | 6.629282802894755 |
TrID: |
|
File name: | 5Uvn8Uyob8.exe |
File size: | 226'256 bytes |
MD5: | db0bcc378f0895c40ad9bd5f9f7f0b11 |
SHA1: | 70f09e0bc1ecc343ef963fc40e3371162091cee5 |
SHA256: | 32c91c1331de77b1cf565aff5b4c758ea851eb2e0b6dcec36990b9a282147589 |
SHA512: | a50740204343ecab987b187621f4bc8ff700302ab7c65e882ebe413bc2557bf3682db7985061eaf49bfc116a8bafc4becaa53b739eceb6472590ecd0bb06cded |
SSDEEP: | 3072:LAjRP/MfsdCZyF3M0AqW8HaCbpWKWpkFMu02VFMzFj8e5BV0rUniyimyzO:OEIw43M0G/2vW76Mzie5v0rURyi |
TLSH: | 37249D07B6A974FCE42AD770C4648A4697B7BD7013608BDF13A4963A2F636D48D38F60 |
File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...^F.f.........."......:...........a.........@..........................................`........................................ |
Icon Hash: | 0703053232670f1f |
Entrypoint: | 0x1400061ac |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x66A3465E [Fri Jul 26 06:46:54 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 2f8c554b630188631a1d0ca244d99595 |
Signature Valid: | false |
Signature Issuer: | CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 1501CB08D08AB9513578ECAA0534F741 |
Thumbprint SHA-1: | 7E9572FFDB0BE9E618862EB6463B2C0782FC2DB9 |
Thumbprint SHA-256: | 8C32CB33A6114A9BA3B33916F4146581287BD0FC647D7773636E45E8BAE07730 |
Serial: | 330000033C2B0A49D9D2917EAC00000000033C |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007F82A125DFA0h |
dec eax |
add esp, 28h |
jmp 00007F82A125DBB7h |
int3 |
int3 |
dec eax |
sub esp, 28h |
call 00007F82A125DD54h |
dec eax |
neg eax |
sbb eax, eax |
neg eax |
dec eax |
dec eax |
add esp, 28h |
ret |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
cmp dword ptr [0001B0E2h], FFFFFFFFh |
dec eax |
mov ebx, ecx |
jne 00007F82A125DD49h |
call 00007F82A125FDF9h |
jmp 00007F82A125DD51h |
dec eax |
mov edx, ebx |
dec eax |
lea ecx, dword ptr [0001B0CCh] |
call 00007F82A125FD5Ch |
xor edx, edx |
test eax, eax |
dec eax |
cmove edx, ebx |
dec eax |
mov eax, edx |
dec eax |
add esp, 20h |
pop ebx |
ret |
int3 |
int3 |
dec eax |
sub esp, 18h |
dec esp |
mov eax, ecx |
mov eax, 00005A4Dh |
cmp word ptr [FFFF9DD9h], ax |
jne 00007F82A125DDBAh |
dec eax |
arpl word ptr [FFFF9E0Ch], cx |
dec eax |
lea edx, dword ptr [FFFF9DC9h] |
dec eax |
add ecx, edx |
cmp dword ptr [ecx], 00004550h |
jne 00007F82A125DDA1h |
mov eax, 0000020Bh |
cmp word ptr [ecx+18h], ax |
jne 00007F82A125DD96h |
dec esp |
sub eax, edx |
movzx edx, word ptr [ecx+14h] |
dec eax |
add edx, 18h |
dec eax |
add edx, ecx |
movzx eax, word ptr [ecx+06h] |
dec eax |
lea ecx, dword ptr [eax+eax*4] |
dec esp |
lea ecx, dword ptr [edx+ecx*8] |
dec eax |
mov dword ptr [esp], edx |
dec ecx |
cmp edx, ecx |
je 00007F82A125DD5Ah |
mov ecx, dword ptr [edx+0Ch] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1cd50 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x29000 | 0x11ee8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x22000 | 0x10e0 | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x34c00 | 0x27d0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x3b000 | 0xaf0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x15500 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1d038 | 0x2a8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x138c6 | 0x13a00 | 60f3629cabfe0abd874ad05a40b87577 | False | 0.5606215167197452 | data | 6.584536629813981 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x15000 | 0x986c | 0x9a00 | 5d333f8442902b3a8093f8ce540365a0 | False | 0.43458299512987014 | data | 4.86337784910343 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1f000 | 0x2f10 | 0x1e00 | ad7e1a9305e9ddb27b8eca8606404bf3 | False | 0.25755208333333335 | data | 5.737923723877776 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x22000 | 0x10e0 | 0x1200 | a447b277bf3b1d6de9fa21a32db1ab94 | False | 0.4583333333333333 | data | 4.76952083248037 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.00cfg | 0x24000 | 0x38 | 0x200 | e0133a52597151a998cd929afa56b858 | False | 0.072265625 | data | 0.4362466220649174 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.gxfg | 0x25000 | 0x1130 | 0x1200 | 4cce2d84947c5dce6432b89d096694d7 | False | 0.4166666666666667 | PGP symmetric key encrypted data - Plaintext or unencrypted data | 4.916929673040231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.retplne | 0x27000 | 0x8c | 0x200 | 8c950f651287cbc1296bcb4e8cd7e990 | False | 0.126953125 | data | 1.050583247971927 | |
_RDATA | 0x28000 | 0x15c | 0x200 | e1d1d4f94013776182cbf8ff6d4994db | False | 0.380859375 | data | 2.7683496218709203 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x29000 | 0x11ee8 | 0x12000 | 9e753d0f5e1af5a353b1cf45f31941da | False | 0.6406114366319444 | data | 6.746377184180407 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x3b000 | 0xaf0 | 0xc00 | d243eac38353c64c2238153010a8033c | False | 0.4934895833333333 | data | 5.283610684883323 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x295c8 | 0x6fd1 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9973449781659388 |
RT_ICON | 0x305a0 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.36620217288615964 |
RT_ICON | 0x347c8 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.4182572614107884 |
RT_ICON | 0x36d70 | 0x1a68 | Device independent bitmap graphic, 40 x 80 x 32, image size 6720 | English | United States | 0.4485207100591716 |
RT_ICON | 0x387d8 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.5117260787992496 |
RT_ICON | 0x39880 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2400 | English | United States | 0.5745901639344262 |
RT_ICON | 0x3a208 | 0x6b8 | Device independent bitmap graphic, 20 x 40 x 32, image size 1680 | English | United States | 0.6540697674418605 |
RT_ICON | 0x3a8c0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.7145390070921985 |
RT_GROUP_ICON | 0x3ad28 | 0x76 | data | English | United States | 0.7542372881355932 |
RT_VERSION | 0x29290 | 0x334 | data | English | United States | 0.43414634146341463 |
RT_MANIFEST | 0x3ada0 | 0x143 | XML 1.0 document, ASCII text | English | United States | 0.628482972136223 |
DLL | Import |
---|---|
KERNEL32.dll | CloseHandle, CompareStringW, ConvertThreadToFiber, CreateFiber, CreateFileA, CreateFileW, DeleteCriticalSection, DeviceIoControl, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemInfo, GetSystemTimeAsFileTime, GetTickCount64, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SwitchToFiber, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile |
USER32.dll | GetForegroundWindow, ShowWindow |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Signature | Severity | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|---|
2024-08-31T11:46:33.050339+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49730 | 443 | 192.168.2.4 | 119.45.147.28 |
2024-08-31T11:47:37.191366+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49739 | 443 | 192.168.2.4 | 119.45.147.28 |
2024-08-31T11:47:05.128391+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49737 | 443 | 192.168.2.4 | 119.45.147.28 |
2024-08-31T11:45:55.503206+0200 | TCP | 2028765 | ET JA3 Hash - [Abuse.ch] Possible Dridex | 3 | 49740 | 443 | 192.168.2.4 | 119.45.147.28 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Aug 31, 2024 11:46:00.942668915 CEST | 49730 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:46:00.942689896 CEST | 443 | 49730 | 119.45.147.28 | 192.168.2.4 |
Aug 31, 2024 11:46:00.942790031 CEST | 49730 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:46:00.951280117 CEST | 49730 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:46:00.951292992 CEST | 443 | 49730 | 119.45.147.28 | 192.168.2.4 |
Aug 31, 2024 11:46:33.050338984 CEST | 49730 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:46:33.067934036 CEST | 49737 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:46:33.067975998 CEST | 443 | 49737 | 119.45.147.28 | 192.168.2.4 |
Aug 31, 2024 11:46:33.068058014 CEST | 49737 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:46:33.068358898 CEST | 49737 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:46:33.068372965 CEST | 443 | 49737 | 119.45.147.28 | 192.168.2.4 |
Aug 31, 2024 11:47:05.128391027 CEST | 49737 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:47:05.136425018 CEST | 49739 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:47:05.136467934 CEST | 443 | 49739 | 119.45.147.28 | 192.168.2.4 |
Aug 31, 2024 11:47:05.136534929 CEST | 49739 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:47:05.136831999 CEST | 49739 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:47:05.136847973 CEST | 443 | 49739 | 119.45.147.28 | 192.168.2.4 |
Aug 31, 2024 11:47:37.191365957 CEST | 49739 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:47:37.198266983 CEST | 49740 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:47:37.198333025 CEST | 443 | 49740 | 119.45.147.28 | 192.168.2.4 |
Aug 31, 2024 11:47:37.198436975 CEST | 49740 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:47:37.198756933 CEST | 49740 | 443 | 192.168.2.4 | 119.45.147.28 |
Aug 31, 2024 11:47:37.198781013 CEST | 443 | 49740 | 119.45.147.28 | 192.168.2.4 |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 0 |
Start time: | 05:45:59 |
Start date: | 31/08/2024 |
Path: | C:\Users\user\Desktop\5Uvn8Uyob8.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6872e0000 |
File size: | 226'256 bytes |
MD5 hash: | DB0BCC378F0895C40AD9BD5F9F7F0B11 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Target ID: | 1 |
Start time: | 05:45:59 |
Start date: | 31/08/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Execution Graph
Execution Coverage: | 3% |
Dynamic/Decrypted Code Coverage: | 1.1% |
Signature Coverage: | 5.7% |
Total number of Nodes: | 371 |
Total number of Limit Nodes: | 7 |
Graph
Function 00007FF6872E549A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 155nativememoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E4F60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85nativeCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0000021DEDA7012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99networkCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF6872E4DA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872EC4D8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872EAEA8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872ED440 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872ED2BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F3F98 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E82B4 Relevance: .1, Instructions: 126COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F3DB0 Relevance: .0, Instructions: 32COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E6594 Relevance: .0, Instructions: 2COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E9570 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F0B74 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872EE660 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E986C Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F3284 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E99E4 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872EF3A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E6990 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E7A94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F3BC0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E9AAC Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F1120 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F0534 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F067C Relevance: 6.2, APIs: 4, Instructions: 202COMMONLIBRARYCODE
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872E6410 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872ECD68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 180COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872EFA38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00007FF6872F2A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|