Windows Analysis Report
Xwl3DsNmN2.exe

Overview

General Information

Sample name: Xwl3DsNmN2.exe
renamed because original name is a hash value
Original sample name: f9ded81115c4c75971a6a683782d06ae.exe
Analysis ID: 1520459
MD5: f9ded81115c4c75971a6a683782d06ae
SHA1: 03ff74506788b9050e7374a665b00a69405f81dc
SHA256: b1ca829cc4b862f66977df476736c624666df294318fd781c41d1d256208cc63
Tags: exeuser-abuse_ch
Infos:

Detection

CobaltStrike, Metasploit, ReflectiveLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected Metasploit Payload
Yara detected Powershell download and execute
Yara detected ReflectiveLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Xwl3DsNmN2.exe Avira: detected
Found malware configuration
Source: Xwl3DsNmN2.exe Malware Configuration Extractor: Metasploit {"Type": "Shell Reverse Http", "URL": "http://89.197.154.115:7700/6CqFEOIEZ-_A_cH8pgiUAgokwto4FovQaLCp7IwjfjFOHLmm4PXOb0KwnKkTc0c4DgsIXI1BeciyULKIi1BQYK5r_ag_pWihXw1viMYb3a4ebq8yKbFx_6C"}
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 7700, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "89.197.154.115,/ptj", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for submitted file
Source: Xwl3DsNmN2.exe ReversingLabs: Detection: 81%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: Xwl3DsNmN2.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7EF82 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_02F7EF82
Uses 32bit PE files
Source: Xwl3DsNmN2.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Xwl3DsNmN2.exe
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F75225 _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_02F75225
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7A70E _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose, 0_2_02F7A70E
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 4x nop then cmp byte ptr [eax], ah 0_2_00406D7C

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 89.197.154.115:7700 -> 192.168.2.5:49704
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 89.197.154.115
Source: Malware configuration extractor URLs: http://89.197.154.115:7700/6CqFEOIEZ-_A_cH8pgiUAgokwto4FovQaLCp7IwjfjFOHLmm4PXOb0KwnKkTc0c4DgsIXI1BeciyULKIi1BQYK5r_ag_pWihXw1viMYb3a4ebq8yKbFx_6C
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 89.197.154.115:7700
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 89.197.154.115 89.197.154.115
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VIRTUAL1GB VIRTUAL1GB
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49706 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49707 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49711 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49712 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49710 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49708 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49709 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49714 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49720 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49728 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49736 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49738 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49741 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49740 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49745 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49742 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49752 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49754 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49751 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49746 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49758 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49765 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49769 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49774 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49761 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49776 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49778 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49756 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49777 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49732 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49771 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49781 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49783 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49757 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49787 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49760 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49786 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49792 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49770 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49779 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49763 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49775 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49797 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49768 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49790 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49743 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49791 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49807 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49798 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49764 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49737 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49767 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49810 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49766 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49748 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49747 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49773 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49739 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49796 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49750 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49762 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49788 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49793 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49744 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49782 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49780 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49808 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49812 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49801 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49759 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49749 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49784 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49805 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49802 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49800 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49811 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49789 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49794 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49806 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49803 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49753 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49804 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49799 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49809 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49772 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49795 -> 89.197.154.115:7700
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49785 -> 89.197.154.115:7700
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F78E51 GetTickCount,_malloc,htonl,recvfrom,WSAGetLastError,htonl,ioctlsocket, 0_2_02F78E51
Source: Xwl3DsNmN2.exe, 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:%u/
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Xwl3DsNmN2.exe, 00000000.00000003.2108588037.000000000052A000.00000004.00000020.00020000.00000000.sdmp, Xwl3DsNmN2.exe, 00000000.00000003.2097560571.0000000002EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?72289480ac637
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp, Xwl3DsNmN2.exe, 00000000.00000003.2108588037.000000000052A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabT
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp, Xwl3DsNmN2.exe, 00000000.00000003.2108588037.000000000052A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enS
Source: Xwl3DsNmN2.exe String found in binary or memory: http://www.apache.org/
Source: Xwl3DsNmN2.exe String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Xwl3DsNmN2.exe String found in binary or memory: http://www.zeustech.net/
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.00000000004E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115/
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/6CqFEOIEZ-_A_cH8pgiUAgokwto4FovQaLCp7IwjfjFOHLmm4PXOb0KwnKkTc0c4DgsIXI1B
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/My
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/hy
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/oft
Source: Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptj
Source: Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptj-
Source: Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptj0
Source: Xwl3DsNmN2.exe, 00000000.00000003.2258428012.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptj476756634-1003
Source: Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptj7
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptj9
Source: Xwl3DsNmN2.exe, 00000000.00000003.2258428012.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjJ
Source: Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjP
Source: Xwl3DsNmN2.exe, 00000000.00000003.2258428012.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjW
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjft
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjh
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjm32
Source: Xwl3DsNmN2.exe, 00000000.00000002.3326550483.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjnnlsres.dll.muil
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjq
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/ptjs
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://89.197.154.115:7700/tjc

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Xwl3DsNmN2.exe, type: SAMPLE Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 0.0.Xwl3DsNmN2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 0.2.Xwl3DsNmN2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.3325548923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000000.2076699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.3326762963.0000000002FA8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3326762963.0000000002FA8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3326164826.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_004096C0: DeviceIoControl, 0_2_004096C0
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F74A7E CreateProcessAsUserA,GetLastError,GetLastError,GetLastError,CreateProcessA,GetLastError, 0_2_02F74A7E
Detected potential crypto function
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F97BC0 0_2_02F97BC0
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F97320 0_2_02F97320
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F958FD 0_2_02F958FD
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F950D1 0_2_02F950D1
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F94828 0_2_02F94828
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F859E9 0_2_02F859E9
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F98190 0_2_02F98190
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F97945 0_2_02F97945
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F94CFD 0_2_02F94CFD
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F954DD 0_2_02F954DD
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F8ADDB 0_2_02F8ADDB
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032EA222 0_2_032EA222
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032F4924 0_2_032F4924
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032F4144 0_2_032F4144
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032F7007 0_2_032F7007
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032E2876 0_2_032E2876
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032E4E30 0_2_032E4E30
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032F4518 0_2_032F4518
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032F4D44 0_2_032F4D44
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032F75D7 0_2_032F75D7
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032F3C6F 0_2_032F3C6F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: String function: 032EA7EB appears 39 times
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: String function: 02F8B3A4 appears 39 times
Sample file is different than original file name gathered from version info
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325665529.0000000000415000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameab.exeF vs Xwl3DsNmN2.exe
Source: Xwl3DsNmN2.exe Binary or memory string: OriginalFilenameab.exeF vs Xwl3DsNmN2.exe
Uses 32bit PE files
Source: Xwl3DsNmN2.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: Xwl3DsNmN2.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 0.0.Xwl3DsNmN2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 0.2.Xwl3DsNmN2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.3325548923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000000.2076699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000002.3326762963.0000000002FA8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3326762963.0000000002FA8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3326164826.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Xwl3DsNmN2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/2@0/1
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F741CB LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_02F741CB
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F766BF CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32First,Thread32Next,Sleep, 0_2_02F766BF
Source: Xwl3DsNmN2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Xwl3DsNmN2.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Xwl3DsNmN2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Xwl3DsNmN2.exe

Data Obfuscation
barindex
Yara detected ReflectiveLoader
Source: Yara match File source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F99B57 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,FreeLibrary, 0_2_02F99B57
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_00406C2F push cs; retf 0_2_00406C63
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_00405AC2 push esi; ret 0_2_00405AC5
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_00405CFA push esi; retf 0_2_00405CFB
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_00403B44 push esp; retf 0000h 0_2_00403B46
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_00401B25 push ds; retf 0_2_00401B28
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_004035EF push ss; retf 0_2_004035F0
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F8B3E9 push ecx; ret 0_2_02F8B3FC
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F9CBE1 push FFFFFFCBh; retf 0_2_02F9CBE5
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F885D0 push eax; ret 0_2_02F885D7
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032E7A17 push eax; ret 0_2_032E7A1E
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032FB153 push 0000006Ah; retf 0_2_032FB22B
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032FB1BC push 0000006Ah; retf 0_2_032FB22B
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032FB1BA push 0000006Ah; retf 0_2_032FB22B
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032EA830 push ecx; ret 0_2_032EA843
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032E6F03 push edi; ret 0_2_032E6F04
Source: Xwl3DsNmN2.exe Static PE information: section name: .text entropy: 7.0231895913209765
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F73685 0_2_02F73685
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F77E57 0_2_02F77E57
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe API coverage: 6.4 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F77E57 0_2_02F77E57
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe TID: 320 Thread sleep count: 97 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe TID: 320 Thread sleep time: -5820000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F75225 _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_02F75225
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7A70E _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose, 0_2_02F7A70E
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Thread delayed: delay time: 60000 Jump to behavior
Source: Xwl3DsNmN2.exe, 00000000.00000002.3325770193.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, Xwl3DsNmN2.exe, 00000000.00000002.3325770193.0000000000505000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F99375 MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,DebugBreak, 0_2_02F99375
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F99B57 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,FreeLibrary, 0_2_02F99B57
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7ABA0 mov eax, dword ptr fs:[00000030h] 0_2_02F7ABA0
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7B870 mov eax, dword ptr fs:[00000030h] 0_2_02F7B870
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032D9FE7 mov eax, dword ptr fs:[00000030h] 0_2_032D9FE7
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_032DACB7 mov eax, dword ptr fs:[00000030h] 0_2_032DACB7
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F96320 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_02F96320
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F90331 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_02F90331
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F92950 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02F92950
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F8C4B2 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_02F8C4B2

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7E272 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError, 0_2_02F7E272
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7E442 GetCurrentProcessId,AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_02F7E442
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: GetLocaleInfoA, 0_2_02F95EF0
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7427B CreateNamedPipeA, 0_2_02F7427B
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7386E GetLocalTime, 0_2_02F7386E
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F77F09 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf, 0_2_02F77F09
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_00406D07 GetTimeZoneInformation, 0_2_00406D07
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F77F09 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf, 0_2_02F77F09
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: Process Memory Space: Xwl3DsNmN2.exe PID: 4984, type: MEMORYSTR
Source: Yara match File source: 00000000.00000002.3326986916.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Xwl3DsNmN2.exe.2f70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Xwl3DsNmN2.exe.2f70000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3326762963.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Metasploit Payload
Source: Yara match File source: Xwl3DsNmN2.exe, type: SAMPLE
Source: Yara match File source: 0.0.Xwl3DsNmN2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Xwl3DsNmN2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3325548923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2076699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3326164826.00000000005B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F78699 htonl,htons,socket,closesocket,bind,ioctlsocket, 0_2_02F78699
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F785B7 socket,htons,ioctlsocket,closesocket,bind,listen, 0_2_02F785B7
Source: C:\Users\user\Desktop\Xwl3DsNmN2.exe Code function: 0_2_02F7EDB3 socket,closesocket,htons,bind,listen, 0_2_02F7EDB3
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520459 Sample: Xwl3DsNmN2.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Malicious sample detected (through community Yara rule) 2->15 17 9 other signatures 2->17 5 Xwl3DsNmN2.exe 2->5         started        process3 dnsIp4 9 89.197.154.115, 49704, 49706, 49707 VIRTUAL1GB United Kingdom 5->9 19 Contains functionality to detect sleep reduction / modifications 5->19 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.197.154.115
 unknown United Kingdom
47474 VIRTUAL1GB true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://89.197.154.115:7700/6CqFEOIEZ-_A_cH8pgiUAgokwto4FovQaLCp7IwjfjFOHLmm4PXOb0KwnKkTc0c4DgsIXI1BeciyULKIi1BQYK5r_ag_pWihXw1viMYb3a4ebq8yKbFx_6C true
    		unknown
    89.197.154.115 true
      		unknown