Windows Analysis Report
mTGDPqzxwu.exe

Overview

General Information

Sample name: mTGDPqzxwu.exe
renamed because original name is a hash value
Original sample name: fe4452262e67ec54bb64bc76b303b5b4.exe
Analysis ID: 1520460
MD5: fe4452262e67ec54bb64bc76b303b5b4
SHA1: 2c0bdc07a45c65a736cd848b74c702f70a1c9bde
SHA256: 5d1ec27eb711dbafffe07dc8debb180abd22c3ebb0104a5c393252be6f65c5c0
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Searches for specific processes (likely to inject)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create an SMB header
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query network adapater information
Contains functionality to read the clipboard data
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mTGDPqzxwu.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: mTGDPqzxwu.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 80.8% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F71E0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_006F71E0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F7180 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, 0_2_006F7180
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F7240 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_006F7240
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006CF49C _strdup,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,fopen,free,CertOpenStore,_strdup,GetLastError,free,free,free,CryptStringToBinaryA,free,CertCloseStore,CertFindCertificateInStore,free,CertCloseStore,free,fseek,ftell,fread,fclose,MultiByteToWideChar,fseek,fclose,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertFreeCertificateContext,CertCloseStore,memset,memset,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,memset,strtol,strchr,strncmp,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free, 0_2_006CF49C
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006CD730 BCryptGenRandom, 0_2_006CD730
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006CD7F0 BCryptGenRandom, 0_2_006CD7F0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F5860 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext, 0_2_006F5860
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F58E0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_006F58E0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F58C0 CryptHashData, 0_2_006F58C0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006CD8A0 memset,BCryptGenRandom, 0_2_006CD8A0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F0940 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 0_2_006F0940
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F5D10 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 0_2_006F5D10
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F0E10 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx, 0_2_006F0E10
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006CEF40 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_006CEF40
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F7FA0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_006F7FA0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: -----BEGIN PUBLIC KEY----- 0_2_006AD8A0
Source: mTGDPqzxwu.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Contains functionality to create an SMB header
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: mov dword ptr [ebx+04h], 424D53FFh 0_2_006E2B00
Uses 32bit PE files
Source: mTGDPqzxwu.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: mTGDPqzxwu.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb7 source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\DriverInjectDll-master\bin\driver_inject_x64.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\ReplayClientTest.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb&& source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb'' source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb7 source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\JQMain.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb source: mTGDPqzxwu.exe
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006910C0 #266,#265,#266,#265,WSARecv,#111,EnterCriticalSection,LeaveCriticalSection,#266, 0_2_006910C0
Source: global traffic DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: mTGDPqzxwu.exe String found in binary or memory: http://27.25.156.102:9999/style.html
Source: mTGDPqzxwu.exe String found in binary or memory: http://27.25.156.102:9999/style.htmlSoftware
Source: mTGDPqzxwu.exe String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: mTGDPqzxwu.exe String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: mTGDPqzxwu.exe String found in binary or memory: http://sf.symcd.com0&
Source: mTGDPqzxwu.exe String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: mTGDPqzxwu.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: mTGDPqzxwu.exe String found in binary or memory: https://curl.se/docs/hsts.html
Source: mTGDPqzxwu.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: mTGDPqzxwu.exe String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: mTGDPqzxwu.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: mTGDPqzxwu.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: mTGDPqzxwu.exe String found in binary or memory: https://d.symcb.com/rpa0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0068DB70 memset,memset,SHGetSpecialFolderPathA,_time64,OpenClipboard,GetClipboardData,GlobalSize,malloc,GlobalLock,memset,GlobalUnlock,CloseClipboard,SendMessageW,#296,#296,SendMessageW,#4815,SendMessageW,#8067,#290,#13656,#13656,#1045,#290,#13656,#1045,#290,#290,#4815,#1045,#1045,#290,GetPrivateProfileIntW,#1045,#13656,#290,#290,WritePrivateProfileStringW,WritePrivateProfileStringW,#1045,#1045,WritePrivateProfileStringW,#290,#290,WritePrivateProfileStringW,#1045,#1045,#13656,#1045,#1045,fopen,fclose, 0_2_0068DB70
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0068DB70 memset,memset,SHGetSpecialFolderPathA,_time64,OpenClipboard,GetClipboardData,GlobalSize,malloc,GlobalLock,memset,GlobalUnlock,CloseClipboard,SendMessageW,#296,#296,SendMessageW,#4815,SendMessageW,#8067,#290,#13656,#13656,#1045,#290,#13656,#1045,#290,#290,#4815,#1045,#1045,#290,GetPrivateProfileIntW,#1045,#13656,#290,#290,WritePrivateProfileStringW,WritePrivateProfileStringW,#1045,#1045,WritePrivateProfileStringW,#290,#290,WritePrivateProfileStringW,#1045,#1045,#13656,#1045,#1045,fopen,fclose, 0_2_0068DB70
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F5D10 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 0_2_006F5D10

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: mTGDPqzxwu.exe, type: SAMPLE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mTGDPqzxwu.exe.7323d8.2.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.mTGDPqzxwu.exe.7323d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006868F0: memset,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,memset,DeviceIoControl,memmove,malloc,free, 0_2_006868F0
Contains functionality to delete services
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00685CE0 OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError, 0_2_00685CE0
Detected potential crypto function
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F1010 0_2_006F1010
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006C91E0 0_2_006C91E0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006EB240 0_2_006EB240
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006C02B0 0_2_006C02B0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006D1320 0_2_006D1320
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006A5300 0_2_006A5300
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006D43E0 0_2_006D43E0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006CC420 0_2_006CC420
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006E6410 0_2_006E6410
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006CF49C 0_2_006CF49C
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006DE500 0_2_006DE500
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F3510 0_2_006F3510
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006866C0 0_2_006866C0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00686720 0_2_00686720
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00698710 0_2_00698710
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006B1A30 0_2_006B1A30
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006CAAE0 0_2_006CAAE0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006EFB00 0_2_006EFB00
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00683E70 0_2_00683E70
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006C9E20 0_2_006C9E20
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006DEEF0 0_2_006DEEF0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006F7F50 0_2_006F7F50
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006E3F90 0_2_006E3F90
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006E9F90 0_2_006E9F90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: String function: 006B59A0 appears 38 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: String function: 006BC8B0 appears 38 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: String function: 006B5830 appears 299 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: String function: 006BC910 appears 77 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: String function: 006F4570 appears 32 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: String function: 006B5870 appears 81 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: String function: 006BF570 appears 43 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: String function: 006B5760 appears 427 times
PE file contains executable resources (Code or Archives)
Source: mTGDPqzxwu.exe Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: mTGDPqzxwu.exe Static PE information: Resource name: DRV type: PE32+ executable (native) x86-64, for MS Windows
Source: mTGDPqzxwu.exe Static PE information: Resource name: G_GAMEE type: PE32 executable (console) Intel 80386, for MS Windows
Source: mTGDPqzxwu.exe Static PE information: Resource name: OLDDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameJQMain.exe8 vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameInPut.dll: vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewjs3.dll: vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe Binary or memory string: OriginalFilenameJQMain.exe8 vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe Binary or memory string: OriginalFilenameInPut.dll: vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe Binary or memory string: OriginalFilenamewjs3.dll: vs mTGDPqzxwu.exe
Uses 32bit PE files
Source: mTGDPqzxwu.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: mTGDPqzxwu.exe, type: SAMPLE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mTGDPqzxwu.exe.7323d8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.mTGDPqzxwu.exe.7323d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: mTGDPqzxwu.exe Binary string: \Device\CrashDumpUpload\DosDevices\CrashDumpUpload
Source: classification engine Classification label: mal72.evad.winEXE@1/0@1/0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError, 0_2_00685CE0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00685030 CreateToolhelp32Snapshot,memset,#290,#290,Process32FirstW,CloseHandle,#5110,StrCmpW,#296,#4815,OpenFileMappingW,#1045,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,OpenProcess,GetProcessTimes,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,_time64,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,#1045,Process32NextW,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,TerminateProcess,#1045,CloseHandle,#1045,#1045, 0_2_00685030
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00687050 memset,memset,memset,memset,P_LoadSystem,P_UserLogin,P_GetLoginValue,P_GetLoginValue,#296,#296,#1526,P_GetLoginValue,#290,#4815,#1045,#13806,P_GetDataValue,VirtualQuery,FindResourceW,#1045,#1045,SizeofResource,LoadResource,LockResource,memset,memset,fopen,fwrite,fclose,fclose,fclose,#1045,#1045,#13806, 0_2_00687050
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00685CE0 OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError, 0_2_00685CE0
Source: mTGDPqzxwu.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mTGDPqzxwu.exe ReversingLabs: Detection: 42%
Source: mTGDPqzxwu.exe String found in binary or memory: :8085/add
Source: mTGDPqzxwu.exe String found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u
Source: mTGDPqzxwu.exe String found in binary or memory: :8085/add
Source: mTGDPqzxwu.exe String found in binary or memory: A%dUnknown exceptionbad cast1721829950816Timestampapplication/jsonContent-TypelsjCustom-Header:8085/addhttp://UIN{"id":"UIN","txt":"data"}data:8085/query{"id":"UIN"}vector<bool> too longmap/set<T> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
Source: mTGDPqzxwu.exe String found in binary or memory: Unknown exceptionbad cast1721829950816Timestampapplication/jsonContent-TypelsjCustom-Header:8085/addhttp://UIN{"id":"UIN","txt":"data"}data:8085/query{"id":"UIN"}vector<bool> too longmap/set<T> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_: httpslist<T> too long4
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Section loaded: mfc140u.dll Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Section loaded: plfl32.dll Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Section loaded: uxtheme.dll Jump to behavior
Source: mTGDPqzxwu.exe Static file information: File size 5087232 > 1048576
Source: mTGDPqzxwu.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x43f800
Source: mTGDPqzxwu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mTGDPqzxwu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mTGDPqzxwu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mTGDPqzxwu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mTGDPqzxwu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mTGDPqzxwu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: mTGDPqzxwu.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: mTGDPqzxwu.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb7 source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\DriverInjectDll-master\bin\driver_inject_x64.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\ReplayClientTest.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb&& source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb'' source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb7 source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\JQMain.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb source: mTGDPqzxwu.exe
Source: Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb source: mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mTGDPqzxwu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mTGDPqzxwu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mTGDPqzxwu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mTGDPqzxwu.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006B9100 #115,#116,GetModuleHandleA,GetProcAddress,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency, 0_2_006B9100
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0069D1D6 push ecx; ret 0_2_0069D1E9
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0068AA10 memset,memset,memset,memset,SHGetFolderPathA,SHGetSpecialFolderPathA,memset,GetPrivateProfileIntA,_time64,fopen,fwrite,fclose,GetFileAttributesA,CreateDirectoryA,CreateDirectoryA,GetFileAttributesA,CreateDirectoryA,WritePrivateProfileStringA,memset,memset,memset,memset,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,#13656,atoll,atoll,atoll,GetTickCount,GetTickCount,GetPrivateProfileIntA,GetTickCount,GetPrivateProfileIntA,#13656,memset,memset,memset,memset,memset,memset,memset,_access,_access,_access,#13656,memset,GetPrivateProfileStringA,memset,_time64,#13656,atoll,#13656,_access,GetPrivateProfileStringA,#13656,memset,GetPrivateProfileStringA,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,_access,memset,GetPrivateProfileStringA,_access,#13656,memset,memcpy,_time64,#13656, 0_2_0068AA10
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00685CE0 OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError, 0_2_00685CE0
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00687B80 IsIconic,memset,#890,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#1391,#11038, 0_2_00687B80
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00681620 memset,memset,LoadLibraryW,#296,#296,#4815,#4815,#4815,GetCurrentDirectoryW,#5110,SetCurrentDirectoryW,SetCurrentDirectoryW,#5110,LoadLibraryW,SetCurrentDirectoryW,#1045,#1045,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00681620
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: malloc,malloc,GetAdaptersInfo,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strstr,strstr,free, 0_2_006867F0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00691D70 P_GetLoginValue,#115,#111,CreateIoCompletionPort,CreateIoCompletionPort,CreateIoCompletionPort,CloseHandle,GetLastError,GetSystemInfo,CloseHandle,_beginthreadex,_beginthreadex,CloseHandle,_beginthreadex,CloseHandle, 0_2_00691D70
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0069D37B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0069D37B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_006B9100 #115,#116,GetModuleHandleA,GetProcAddress,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency, 0_2_006B9100
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0069D37B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0069D37B
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0069D50D SetUnhandledExceptionFilter, 0_2_0069D50D
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0069CC6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0069CC6C

HIPS / PFW / Operating System Protection Evasion
barindex
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00685030 CreateToolhelp32Snapshot,memset,#290,#290,Process32FirstW,CloseHandle,#5110,StrCmpW,#296,#4815,OpenFileMappingW,#1045,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,OpenProcess,GetProcessTimes,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,_time64,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,#1045,Process32NextW,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,TerminateProcess,#1045,CloseHandle,#1045,#1045, 0_2_00685030
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00689AC0 CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,#286,#5110,StrCmpW,#1045,Process32NextW,CloseHandle, 0_2_00689AC0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00689BC0 CreateToolhelp32Snapshot,memset,Process32FirstW,CloseHandle,StrCmpW,StrCmpW,StrCmpW,StrCmpW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,CloseHandle, 0_2_00689BC0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00689D90 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateToolhelp32Snapshot,memset,Process32FirstW,StrCmpW,Process32NextW,CloseHandle,#296,memset,GetWindowTextW,StrCmpW,OpenProcess,TerminateProcess,CloseHandle,GetWindowThreadProcessId,CreateThread,GetTickCount,GetTickCount,OpenProcess,TerminateProcess,CloseHandle,#1045, 0_2_00689D90
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_00684E60 CreateToolhelp32Snapshot,memset,#290,Process32FirstW,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,#1045,Process32NextW,CloseHandle,#1045, 0_2_00684E60
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0069D5B6 cpuid 0_2_0069D5B6
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe Code function: 0_2_0069D26D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0069D26D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520460 Sample: mTGDPqzxwu.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 72 9 206.23.85.13.in-addr.arpa 2->9 11 Malicious sample detected (through community Yara rule) 2->11 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 AI detected suspicious sample 2->17 6 mTGDPqzxwu.exe 2->6         started        signatures3 process4 signatures5 19 Searches for specific processes (likely to inject) 6->19
No contacted IP infos

Contacted Domains

Name IP Active
206.23.85.13.in-addr.arpa unknown unknown