Edit tour

Windows Analysis Report
uA71eQl1nA.exe

Overview

General Information

Sample name:	uA71eQl1nA.exe renamed because original name is a hash value
Original sample name:	f65bf4180cc2a75e1897ef3675b1ddeb72e04dd884ff7a8566cc7104b6c26e2a.exe
Analysis ID:	1502169
MD5:	196c296463a4e3596f031f9bf492665f
SHA1:	6945abc3f4670ae001b22fd59670e3336ef77b62
SHA256:	f65bf4180cc2a75e1897ef3675b1ddeb72e04dd884ff7a8566cc7104b6c26e2a
Tags:	119-45-147-28exe
Infos:

Detection

CobaltStrike, Metasploit

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Detected potential crypto function

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

uA71eQl1nA.exe (PID: 572 cmdline: "C:\Users\user\Desktop\uA71eQl1nA.exe" MD5: 196C296463A4E3596F031F9BF492665F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"}

Threatname: Metasploit

{"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x5981:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x59ed:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.6 - Destination IP: 119.45.147.28

Timestamp:	2024-08-31T11:46:40.736140+0200
SID:	2028765
Severity:	3
Source Port:	49711
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.6 - Destination IP: 119.45.147.28

Timestamp:	2024-08-31T11:47:44.891842+0200
SID:	2028765
Severity:	3
Source Port:	49723
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.6 - Destination IP: 119.45.147.28

Timestamp:	2024-08-31T11:45:59.094447+0200
SID:	2028765
Severity:	3
Source Port:	49726
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.6 - Destination IP: 119.45.147.28

Timestamp:	2024-08-31T11:47:12.829049+0200
SID:	2028765
Severity:	3
Source Port:	49719
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"}
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"}

Multi AV Scanner detection for submitted file

Source: uA71eQl1nA.exe	ReversingLabs: Detection: 31%
Source: uA71eQl1nA.exe	Virustotal: Detection: 22%			Perma Link

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll

Jump to behavior

Source: uA71eQl1nA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://119.45.147.28:443/jquery-3.3.2.slim.min.js
Source: Malware configuration extractor	URLs: http://119.45.147.28/jquery-3.3.2.slim.min.js

Source: Joe Sandbox View

ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49711 -> 119.45.147.28:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49719 -> 119.45.147.28:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49723 -> 119.45.147.28:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49726 -> 119.45.147.28:443

Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown	TCP traffic detected without corresponding DNS query: 119.45.147.28

Source: uA71eQl1nA.exe, 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.45.147.28/
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.45.147.28/8
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js
Source: uA71eQl1nA.exe, 00000000.00000003.3123468056.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js#
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js3fovzTE
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsYvdTA
Source: uA71eQl1nA.exe, 00000000.00000003.3123468056.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jss

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

Code function: 0_2_0275010C

0_2_0275010C

Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal84.troj.winEXE@1/0@0/1

Source: uA71eQl1nA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: uA71eQl1nA.exe	ReversingLabs: Detection: 31%
Source: uA71eQl1nA.exe	Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

File read: C:\Users\user\Desktop\uA71eQl1nA.exe

Jump to behavior

Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: uA71eQl1nA.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll

Jump to behavior

Source: uA71eQl1nA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Code function: 0_2_0275010C push eax; ret		0_2_02750387
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Code function: 0_2_0275012B push eax; ret		0_2_02750387

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

Code function: 0_2_00007FF6259612F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_00007FF6259612F0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Code function: 0_2_00007FF625961820 SetUnhandledExceptionFilter,		0_2_00007FF625961820
Source: C:\Users\user\Desktop\uA71eQl1nA.exe	Code function: 0_2_00007FF6259612F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,		0_2_00007FF6259612F0

Source: C:\Users\user\Desktop\uA71eQl1nA.exe

Code function: 0_2_00007FF625961A64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00007FF625961A64

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match	File source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
uA71eQl1nA.exe	32%	ReversingLabs	Win64.Backdoor.Meterpreter
uA71eQl1nA.exe	23%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://119.45.147.28/8	0%	Avira URL Cloud	safe
https://119.45.147.28/jquery-3.3.2.slim.min.js3fovzTE	0%	Avira URL Cloud	safe
http://119.45.147.28/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
http://119.45.147.28:443/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
http://code.jquery.com/	0%	Avira URL Cloud	safe
https://119.45.147.28/jquery-3.3.2.slim.min.js	0%	Avira URL Cloud	safe
https://119.45.147.28/	0%	Avira URL Cloud	safe
http://119.45.147.28:443/jquery-3.3.2.slim.min.js	1%	Virustotal		Browse
https://119.45.147.28/jquery-3.3.2.slim.min.jsYvdTA	0%	Avira URL Cloud	safe
https://119.45.147.28/jquery-3.3.2.slim.min.js#	0%	Avira URL Cloud	safe
https://119.45.147.28/jquery-3.3.2.slim.min.jss	0%	Avira URL Cloud	safe
https://119.45.147.28/jquery-3.3.2.slim.min.js#	1%	Virustotal		Browse
https://119.45.147.28/jquery-3.3.2.slim.min.jss	2%	Virustotal		Browse
https://119.45.147.28/jquery-3.3.2.slim.min.js	1%	Virustotal		Browse
http://code.jquery.com/	1%	Virustotal		Browse
https://119.45.147.28/	2%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://119.45.147.28/jquery-3.3.2.slim.min.js	true	Avira URL Cloud: safe	unknown
http://119.45.147.28:443/jquery-3.3.2.slim.min.js	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://119.45.147.28/8	uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://119.45.147.28/jquery-3.3.2.slim.min.js3fovzTE	uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://code.jquery.com/	uA71eQl1nA.exe, 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://119.45.147.28/jquery-3.3.2.slim.min.js	uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://119.45.147.28/	uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://119.45.147.28/jquery-3.3.2.slim.min.jsYvdTA	uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://119.45.147.28/jquery-3.3.2.slim.min.js#	uA71eQl1nA.exe, 00000000.00000003.3123468056.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://119.45.147.28/jquery-3.3.2.slim.min.jss	uA71eQl1nA.exe, 00000000.00000003.3123468056.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
119.45.147.28	unknown	China		45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502169
Start date and time:	2024-08-31 11:45:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uA71eQl1nA.exe renamed because original name is a hash value
Original Sample Name:	f65bf4180cc2a75e1897ef3675b1ddeb72e04dd884ff7a8566cc7104b6c26e2a.exe
Detection:	MAL
Classification:	mal84.troj.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 6 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	linux_amd64.elf	Get hash	malicious	Unknown	Browse	119.29.233.208
	SecuriteInfo.com.Linux.Siggen.9999.28377.24731.elf	Get hash	malicious	Mirai	Browse	152.136.47.156
	BjdhvHE9Lu.exe	Get hash	malicious	Unknown	Browse	122.51.240.117
	SecuriteInfo.com.Trojan.DownLoader46.48074.21382.27832.exe	Get hash	malicious	Unknown	Browse	106.53.77.23
	firmware.m68k.elf	Get hash	malicious	Unknown	Browse	140.143.139.193
	KKveTTgaAAsecNNaaaa.sh4.elf	Get hash	malicious	Unknown	Browse	146.56.230.81
	KKveTTgaAAsecNNaaaa.spc.elf	Get hash	malicious	Unknown	Browse	120.53.107.161
	KKveTTgaAAsecNNaaaa.mpsl.elf	Get hash	malicious	Unknown	Browse	118.28.5.155
	kovENvYM9C.elf	Get hash	malicious	Unknown	Browse	134.175.132.160
	pzGt29I16y.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	111.229.0.18

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	3.520458238473574
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	uA71eQl1nA.exe
File size:	176'544 bytes
MD5:	196c296463a4e3596f031f9bf492665f
SHA1:	6945abc3f4670ae001b22fd59670e3336ef77b62
SHA256:	f65bf4180cc2a75e1897ef3675b1ddeb72e04dd884ff7a8566cc7104b6c26e2a
SHA512:	006ea3974ede4b3d5ad123e4fb178aba8250ade2db86d1936f21ce79f21d748f92a192704871c4ebe47fbdfe34786f720b1a7160616885dc39e36fd237b3647e
SSDEEP:	768:euef6Rn2q5+tf2NI1BZmYZ76gkHYPxCBX4loBU534vi3yFIcTqGUD:eHf7qwtF976goYpCooo46guD
TLSH:	DB04F982E97DFC52F93CB5F0ECED9A225CAC2C1E00F7387535B6B26A86379255B00255
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6u@.X&@.X&@.X&^..&B.X&^..&A.X&^..&P.X&gY#&G.X&@.Y&t.X&^..&D.X&^..&A.X&^..&A.X&Rich@.X&........................PE..d....E.f...

File Icon


Icon Hash:	8bb585a684a685ab

Static PE Info

General

Entrypoint:	0x14000167c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A345AD [Fri Jul 26 06:43:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	3650c83ce97dfda9cdbfb2fc40f4282d

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0B3CDA0134h
dec eax
add esp, 28h
jmp 00007F0B3CD9FA53h
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00001A4Dh]
call dword ptr [0000099Fh]
dec esp
mov ebx, dword ptr [00001B38h]
dec esp
mov dword ptr [esp+58h], ebx
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+60h]
dec eax
mov ecx, dword ptr [esp+58h]
call 00007F0B3CDA01CAh
dec eax
mov dword ptr [esp+50h], eax
dec eax
cmp dword ptr [esp+50h], 00000000h
je 00007F0B3CD9FD93h
dec eax
mov dword ptr [esp+38h], 00000000h
dec eax
lea eax, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], eax
dec eax
lea eax, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
lea eax, dword ptr [000019F8h]
dec eax
mov dword ptr [esp+20h], eax
dec esp
mov ecx, dword ptr [esp+50h]
dec esp
mov eax, dword ptr [esp+58h]
dec eax
mov edx, dword ptr [esp+60h]
xor ecx, ecx
call 00007F0B3CDA0178h
jmp 00007F0B3CD9FD74h
dec eax
mov eax, dword ptr [esp+00000088h]
dec eax
mov dword ptr [00001AC4h], eax
dec eax
lea eax, dword ptr [esp+00000088h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00001A51h], eax
dec eax
mov eax, dword ptr [00001AAAh]
dec eax
mov dword ptr [0000191Bh], eax

Rich Headers

Programming Language:

[IMP] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x237c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5000	0x28d60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4000	0xfc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0x14	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x1c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbb1	0xc00	ef6eb144facb11a3ef9054a3451698ce	False	0.6569010416666666	zlib compressed data	5.909520251721885	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x91a	0xa00	e85936076208180a2af15cac861c233f	False	0.412890625	data	4.100320919739271	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x5f8	0x200	ba5e9ac632de125965c5dfac3d6de948	False	0.06640625	data	0.4546902913731214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4000	0xfc	0x200	eaeb198cd5ff6ba4c2eca7618b46d748	False	0.31640625	data	2.0827576937226624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5000	0x29000	0x28e00	64e3336ba35b28b9e2113ad72da2d999	False	0.07062906154434251	data	3.346189228650437	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0x3c	0x200	db561ee9d53ceb463ab25a7d84b0c8df	False	0.0625	data	0.2311581448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5634	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.271505376344086
RT_ICON	0x591c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4560810810810811
RT_ICON	0x5a44	0x2ca8	Device independent bitmap graphic, 96 x 192 x 8, image size 9216, 256 important colors	Chinese	China	0.06088173547935619
RT_ICON	0x86ec	0x1bc8	Device independent bitmap graphic, 72 x 144 x 8, image size 5184, 256 important colors	Chinese	China	0.09195725534308212
RT_ICON	0xa2b4	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	Chinese	China	0.10401974612129761
RT_ICON	0xb8dc	0x1418	Device independent bitmap graphic, 60 x 120 x 8, image size 3600, 256 important colors	Chinese	China	0.11061430793157076
RT_ICON	0xccf4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.13352878464818763
RT_ICON	0xdb9c	0xba8	Device independent bitmap graphic, 40 x 80 x 8, image size 1600, 256 important colors	Chinese	China	0.13672922252010725
RT_ICON	0xe744	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.16561371841155234
RT_ICON	0xefec	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Chinese	China	0.21428571428571427
RT_ICON	0xf6b4	0x608	Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colors	Chinese	China	0.24093264248704663
RT_ICON	0xfcbc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.19291907514450868
RT_ICON	0x10224	0xab2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	0.8623082542001461
RT_ICON	0x10cd8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	Chinese	China	0.022650830355265925
RT_ICON	0x1a180	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	Chinese	China	0.03322550831792976
RT_ICON	0x1f608	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Chinese	China	0.038202645252716105
RT_ICON	0x23830	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 14880	Chinese	China	0.04028150134048258
RT_ICON	0x27278	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.051970954356846476
RT_ICON	0x29820	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	Chinese	China	0.059319526627218934
RT_ICON	0x2b288	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.08161350844277673
RT_ICON	0x2c330	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Chinese	China	0.12868852459016394
RT_ICON	0x2ccb8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	Chinese	China	0.1813953488372093
RT_ICON	0x2d370	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.17464539007092197
RT_MENU	0x2d7d8	0x50	data	Chinese	China	0.8375
RT_DIALOG	0x2d828	0x134	data	Chinese	China	0.5876623376623377
RT_STRING	0x2d95c	0x54	data	Chinese	China	0.5714285714285714
RT_ACCELERATOR	0x2d9b0	0x10	data	Chinese	China	1.25
RT_GROUP_ICON	0x2d9c0	0x148	data	Chinese	China	0.573170731707317
RT_MANIFEST	0x2db08	0x258	ASCII text, with CRLF line terminators	English	United States	0.5116666666666667

Imports

DLL	Import
KERNEL32.dll	GetModuleFileNameA, Sleep, VirtualFree, VirtualAlloc, GetCommandLineW, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetStartupInfoA, GetSystemTimeAsFileTime
USER32.dll	GetCursorPos, MessageBoxW
SHELL32.dll	CommandLineToArgvW
MSVCR90.dll	_XcptFilter, _exit, _ismbblead, _cexit, exit, _acmdln, _initterm, _initterm_e, __C_specific_handler, __setusermatherr, _commode, _fmode, _encode_pointer, __set_app_type, __crt_debugger_hook, ?terminate@@YAXXZ, _unlock, __dllonexit, _lock, _onexit, _decode_pointer, __getmainargs, _amsg_exit, memcpy, abs, memset, fopen, fseek, fread, _configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-31T11:46:40.736140+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49711	443	192.168.2.6	119.45.147.28
2024-08-31T11:47:44.891842+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49723	443	192.168.2.6	119.45.147.28
2024-08-31T11:45:59.094447+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49726	443	192.168.2.6	119.45.147.28
2024-08-31T11:47:12.829049+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49719	443	192.168.2.6	119.45.147.28

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2024 11:46:08.663294077 CEST	49711	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:46:08.663335085 CEST	443	49711	119.45.147.28	192.168.2.6
Aug 31, 2024 11:46:08.663444042 CEST	49711	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:46:08.670948982 CEST	49711	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:46:08.670963049 CEST	443	49711	119.45.147.28	192.168.2.6
Aug 31, 2024 11:46:40.736140013 CEST	49711	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:46:40.743164062 CEST	49719	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:46:40.743218899 CEST	443	49719	119.45.147.28	192.168.2.6
Aug 31, 2024 11:46:40.743304968 CEST	49719	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:46:40.743542910 CEST	49719	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:46:40.743557930 CEST	443	49719	119.45.147.28	192.168.2.6
Aug 31, 2024 11:47:12.829049110 CEST	49719	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:47:12.834815025 CEST	49723	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:47:12.834851027 CEST	443	49723	119.45.147.28	192.168.2.6
Aug 31, 2024 11:47:12.834925890 CEST	49723	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:47:12.835185051 CEST	49723	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:47:12.835200071 CEST	443	49723	119.45.147.28	192.168.2.6
Aug 31, 2024 11:47:44.891841888 CEST	49723	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:47:44.924423933 CEST	49726	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:47:44.924457073 CEST	443	49726	119.45.147.28	192.168.2.6
Aug 31, 2024 11:47:44.924551010 CEST	49726	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:47:44.924786091 CEST	49726	443	192.168.2.6	119.45.147.28
Aug 31, 2024 11:47:44.924797058 CEST	443	49726	119.45.147.28	192.168.2.6

Target ID:	0
Start time:	05:46:01
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\uA71eQl1nA.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\uA71eQl1nA.exe"
Imagebase:	0x7ff625960000
File size:	176'544 bytes
MD5 hash:	196C296463A4E3596F031F9BF492665F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24%
Dynamic/Decrypted Code Coverage:	4.7%
Signature Coverage:	18.8%
Total number of Nodes:	85
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0275010C Relevance: 1.8, APIs: 1, Instructions: 250
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(00000003,00000003,00000002,00000001), ref: 02750127

Part of subcall function 0275012B: HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 02750146

Memory Dump Source

Source File: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_uA71eQl1nA.jbxd

Yara matches

Similarity

API ID: ConnectHttpInternetOpenRequest
String ID:
API String ID: 1341064763-0
Opcode ID: 873df9c4afc2546a1442a618fe62eac0c09bbb6f8c60467f1a24664f2a33bf3d
Instruction ID: 6aae9cda68c6c9357563405910b4ddff8e8300f2158dd4ac2c00944dfa4c3606
Opcode Fuzzy Hash: 873df9c4afc2546a1442a618fe62eac0c09bbb6f8c60467f1a24664f2a33bf3d
Instruction Fuzzy Hash: 7E717C3165C3A55EDB269F78855A377FF95EB1E308B18159EDC81CB063C2E09842C74A

Function 00007FF62596138C Relevance: 10.6, APIs: 7, Instructions: 115
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 00007FF6259613A3
Sleep.KERNEL32 ref: 00007FF6259613D7
_amsg_exit.MSVCR90 ref: 00007FF6259613ED
_initterm.MSVCR90 ref: 00007FF62596144C
exit.MSVCR90 ref: 00007FF6259614FC
_cexit.MSVCR90 ref: 00007FF62596150B
_ismbblead.MSVCR90 ref: 00007FF62596152E

Memory Dump Source

Source File: 00000000.00000002.3355194546.00007FF625961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF625960000, based on PE: true

Associated: 00000000.00000002.3355182511.00007FF625960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355211058.00007FF625962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355224540.00007FF625964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff625960000_uA71eQl1nA.jbxd

Similarity

API ID: InfoSleepStartup_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 4226152999-0
Opcode ID: efa9d08f026538eba5460a8e89d7678a35acb1d85a733ec47946ed4e924bc49a
Instruction ID: 5f4c3d295958bc98247abdd80ea68eea0483610757a98dbbf7dd513195d5243c
Opcode Fuzzy Hash: efa9d08f026538eba5460a8e89d7678a35acb1d85a733ec47946ed4e924bc49a
Instruction Fuzzy Hash: 5651E271E1C7D386FF718F21AD4037966A0AB50B91F445135D94EC36A2DF6CEC88AB82

Function 00007FF625961170 Relevance: 10.6, APIs: 7, Instructions: 51
sleepmemorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6259610FC: GetCursorPos.USER32 ref: 00007FF62596110B

GetCommandLineW.KERNEL32 ref: 00007FF625961190
CommandLineToArgvW.SHELL32 ref: 00007FF62596119E
Sleep.KERNEL32 ref: 00007FF6259611B3
MessageBoxW.USER32 ref: 00007FF6259611D7
VirtualAlloc.KERNELBASE ref: 00007FF625961203
memcpy.MSVCR90 ref: 00007FF62596121F
VirtualFree.KERNEL32 ref: 00007FF625961231

Memory Dump Source

Source File: 00000000.00000002.3355194546.00007FF625961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF625960000, based on PE: true

Associated: 00000000.00000002.3355182511.00007FF625960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355211058.00007FF625962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355224540.00007FF625964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff625960000_uA71eQl1nA.jbxd

Similarity

API ID: CommandLineVirtual$AllocArgvCursorFreeMessageSleepmemcpy
String ID:
API String ID: 979759111-0
Opcode ID: b73ec664217b5a2a8efd1468c4b39278dedcd936ba1e329ffd9f8b4ff03f74ff
Instruction ID: 50d7dff96eeb9ea2a0adcf13843e49644f48c90efca4b3c9132a5e35d92f0477
Opcode Fuzzy Hash: b73ec664217b5a2a8efd1468c4b39278dedcd936ba1e329ffd9f8b4ff03f74ff
Instruction Fuzzy Hash: 21115E20F1C7C382FE389F61ED557B91251AF45F80F400035D94E86686DF2CEA0D9B82

Function 00007FF625961000 Relevance: 6.1, APIs: 4, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF625961052
fopen.MSVCR90 ref: 00007FF625961064
fseek.MSVCR90 ref: 00007FF625961083
fread.MSVCR90 ref: 00007FF62596109B

Memory Dump Source

Source File: 00000000.00000002.3355194546.00007FF625961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF625960000, based on PE: true

Associated: 00000000.00000002.3355182511.00007FF625960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355211058.00007FF625962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355224540.00007FF625964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff625960000_uA71eQl1nA.jbxd

Similarity

API ID: FileModuleNamefopenfreadfseek
String ID:
API String ID: 61248797-0
Opcode ID: e2ab62533fe2727c4afed391eb0506a7d84d4cb0fd168770317e06c746f5a0c3
Instruction ID: c16529537bd02677bd078a43998e46b7217720b5f05fbd76d2753d9e41e24760
Opcode Fuzzy Hash: e2ab62533fe2727c4afed391eb0506a7d84d4cb0fd168770317e06c746f5a0c3
Instruction Fuzzy Hash: ED217F21F187C281EE349F22EC402AA6651BB88FC4F484535DE4E87656DF3DEA49DB41

Function 00007FF6259610FC Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32 ref: 00007FF62596110B
abs.MSVCR90 ref: 00007FF62596113B
SleepEx.KERNEL32 ref: 00007FF62596114F
GetCursorPos.USER32 ref: 00007FF62596115A

Memory Dump Source

Source File: 00000000.00000002.3355194546.00007FF625961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF625960000, based on PE: true

Associated: 00000000.00000002.3355182511.00007FF625960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355211058.00007FF625962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355224540.00007FF625964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff625960000_uA71eQl1nA.jbxd

Similarity

API ID: Cursor$Sleep
String ID:
API String ID: 1847515627-0
Opcode ID: 5f998fbb9a03f8ce535d240d0b98797ae8a4175fc6e743fcc2beb06ba2ec3afa
Instruction ID: b335ddcfcbd879a1476679cbb2b511a144cf2de648c739dfc6039cc20b94f29b
Opcode Fuzzy Hash: 5f998fbb9a03f8ce535d240d0b98797ae8a4175fc6e743fcc2beb06ba2ec3afa
Instruction Fuzzy Hash: 0C01F432E1C6C387FE649F64EE8153D6260EF80F44F160035E64BC2596DF2CEC889A82

Function 0275012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 02750146

Strings

U.;, xrefs: 02750141

Memory Dump Source

Source File: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_uA71eQl1nA.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: U.;
API String ID: 1984915467-4213443877
Opcode ID: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
Instruction ID: 2a54fdcdec2b80e193de146d54597e6f2445e8d26245f518f39c011ae9f51d3d
Opcode Fuzzy Hash: ab09341529980e95ac1e803047b3985bc20a26ea9b837d55d995e7e224907264
Instruction Fuzzy Hash: AD116D6034890D1BF61C91AE7C5A73A61CAD7CC765F24813FB94EC33D6DDA8CC82815A

Non-executed Functions

Function 00007FF6259612F0 Relevance: 15.1, APIs: 10, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6259616A3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6259616C2
RtlVirtualUnwind.KERNEL32 ref: 00007FF62596170E
IsDebuggerPresent.KERNEL32 ref: 00007FF625961780
__crt_debugger_hook.MSVCR90 ref: 00007FF625961791
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF625961798
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6259617A5
__crt_debugger_hook.MSVCR90 ref: 00007FF6259617B9
GetCurrentProcess.KERNEL32 ref: 00007FF6259617BE
TerminateProcess.KERNEL32 ref: 00007FF6259617CC

Memory Dump Source

Source File: 00000000.00000002.3355194546.00007FF625961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF625960000, based on PE: true

Associated: 00000000.00000002.3355182511.00007FF625960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355211058.00007FF625962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355224540.00007FF625964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff625960000_uA71eQl1nA.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled__crt_debugger_hook$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3815035489-0
Opcode ID: a17a8dd3c319054adf368a232480b45a907422023f50f7ca2f70aae9b8364634
Instruction ID: cb3ad7bb6044bc78888c79ed507f756f23575ba68b11b404895ec8a82b7194fc
Opcode Fuzzy Hash: a17a8dd3c319054adf368a232480b45a907422023f50f7ca2f70aae9b8364634
Instruction Fuzzy Hash: 3131B035D18B8795EE209F50E84036973A4FB84B90F900036DA8E83766DF7CE85C8B82

Function 00007FF625961A64 Relevance: 7.5, APIs: 5, Instructions: 39
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF625961A9B
GetCurrentProcessId.KERNEL32 ref: 00007FF625961AA6
GetCurrentThreadId.KERNEL32 ref: 00007FF625961AB2
GetTickCount.KERNEL32 ref: 00007FF625961ABE
QueryPerformanceCounter.KERNEL32 ref: 00007FF625961ACF

Memory Dump Source

Source File: 00000000.00000002.3355194546.00007FF625961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF625960000, based on PE: true

Associated: 00000000.00000002.3355182511.00007FF625960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355211058.00007FF625962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355224540.00007FF625964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff625960000_uA71eQl1nA.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 397934418954568fb0fe083196244a5791e63ab94abec316ce2ef90042beb460
Instruction ID: e2f7f947d7bb6ff3222ead237784b08d3e89ab3662d6a3497a032fee74048b36
Opcode Fuzzy Hash: 397934418954568fb0fe083196244a5791e63ab94abec316ce2ef90042beb460
Instruction Fuzzy Hash: DF012721E29B8282EE608F21E8402656360BB49F91F546530EE6E877A5DF3CDC8C8781

Function 00007FF625961820 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62596182B

Memory Dump Source

Source File: 00000000.00000002.3355194546.00007FF625961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF625960000, based on PE: true

Associated: 00000000.00000002.3355182511.00007FF625960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355211058.00007FF625962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355224540.00007FF625964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff625960000_uA71eQl1nA.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1f564ca58756c1f2d77dcb3bbadb9968f820972ebdd681b75e89981cec4f8d3d
Instruction ID: a0a4b0da87a06ef409b90cd10ffe018b33d416f9dd78d57add60ba7b7be02685
Opcode Fuzzy Hash: 1f564ca58756c1f2d77dcb3bbadb9968f820972ebdd681b75e89981cec4f8d3d
Instruction Fuzzy Hash: 25B09224E15683C1DE14AF22AC8106012A0AB58B11FD00430C00EC0161DF1C999ECB42

Function 00007FF625961594 Relevance: 7.6, APIs: 5, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCR90 ref: 00007FF625961604
_encode_pointer.MSVCR90 ref: 00007FF62596160E
_RTC_Initialize.LIBCMT ref: 00007FF625961640
__setusermatherr.MSVCR90 ref: 00007FF62596165A
_configthreadlocale.MSVCR90 ref: 00007FF62596166C

Memory Dump Source

Source File: 00000000.00000002.3355194546.00007FF625961000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF625960000, based on PE: true

Associated: 00000000.00000002.3355182511.00007FF625960000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355211058.00007FF625962000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355224540.00007FF625964000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff625960000_uA71eQl1nA.jbxd

Similarity

API ID: Initialize__set_app_type__setusermatherr_configthreadlocale_encode_pointer
String ID:
API String ID: 701925997-0
Opcode ID: e5586d1100ce49df95b454e37c57d21e9346bf3b03c12b805237ac8ffc22a98b
Instruction ID: 4979b82c99310394cf89feea5dc87e5c43a6d40862c42f2a70038f5e6c2b51a0
Opcode Fuzzy Hash: e5586d1100ce49df95b454e37c57d21e9346bf3b03c12b805237ac8ffc22a98b
Instruction Fuzzy Hash: B6219C70D197838AEF709F64AD4427432A0AB04F65F504635D52EC21E2DF3DAD8DEB82

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uA71eQl1nA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

System Behavior

Windows Analysis Report
uA71eQl1nA.exe

Function 0275010C Relevance: 1.8, APIs: 1, Instructions: 250
networkCOMMON

Function 00007FF62596138C Relevance: 10.6, APIs: 7, Instructions: 115
sleepCOMMON

Function 00007FF625961170 Relevance: 10.6, APIs: 7, Instructions: 51
sleepmemorywindowCOMMON

Function 00007FF625961000 Relevance: 6.1, APIs: 4, Instructions: 70
fileCOMMON

Function 00007FF6259610FC Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Function 0275012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Function 00007FF6259612F0 Relevance: 15.1, APIs: 10, Instructions: 67
COMMON

Function 00007FF625961A64 Relevance: 7.5, APIs: 5, Instructions: 39
timethreadCOMMON

Function 00007FF625961594 Relevance: 7.6, APIs: 5, Instructions: 52
COMMON