Windows
Analysis Report
DRVf7H9j4V.exe
Overview
General Information
Sample name: | DRVf7H9j4V.exerenamed because original name is a hash value |
Original sample name: | ef9e66020f10a61f05bc865b167248d5.exe |
Analysis ID: | 1520612 |
MD5: | ef9e66020f10a61f05bc865b167248d5 |
SHA1: | d17d15d3234e278a6110d1f23ea3369c5c68238c |
SHA256: | ec8e8680522e7ecb16043670512d860de1f5ee95b7c3cadb4b6612e92a21af77 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- DRVf7H9j4V.exe (PID: 4136 cmdline:
"C:\Users\ user\Deskt op\DRVf7H9 j4V.exe" MD5: EF9E66020F10A61F05BC865B167248D5)
- cleanup
{"Type": "Shell Reverse Http", "URL": "http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_24338919 | Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_24338919 | Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_24338919 | Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Click to see the 1 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_24338919 | Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
Click to see the 1 entries |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_0040A430 | |
Source: | Code function: | 0_2_00401E39 | |
Source: | Code function: | 0_2_004056C0 | |
Source: | Code function: | 0_2_004066E0 | |
Source: | Code function: | 0_2_004056F0 | |
Source: | Code function: | 0_2_00408680 | |
Source: | Code function: | 0_2_004058A1 | |
Source: | Code function: | 0_2_004056B1 | |
Source: | Code function: | 0_2_0040566F | |
Source: | Code function: | 0_2_004067C3 | |
Source: | Code function: | 0_2_004059A4 |
Networking |
---|
Source: | URLs: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_0040162C | |
Source: | Code function: | 0_2_00690095 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00401A79 | |
Source: | Code function: | 0_2_004070DD | |
Source: | Code function: | 0_2_00401308 | |
Source: | Code function: | 0_2_0040277A | |
Source: | Code function: | 0_2_00405125 | |
Source: | Code function: | 0_2_00401528 | |
Source: | Code function: | 0_2_004055C9 | |
Source: | Code function: | 0_2_00401A79 | |
Source: | Code function: | 0_2_004079ED | |
Source: | Code function: | 0_2_00401E0A | |
Source: | Code function: | 0_2_00403F9A | |
Source: | Code function: | 0_2_00401A79 |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 2 Software Packing | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 11 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 111 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | 1 Ingress Tool Transfer | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
82% | ReversingLabs | Win32.Backdoor.Swrort | ||
100% | Avira | TR/Patched.Gen2 | ||
100% | Joe Sandbox ML |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
89.197.154.115 | unknown | United Kingdom | 47474 | VIRTUAL1GB | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1520612 |
Start date and time: | 2024-09-27 16:47:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 14s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | DRVf7H9j4V.exerenamed because original name is a hash value |
Original Sample Name: | ef9e66020f10a61f05bc865b167248d5.exe |
Detection: | MAL |
Classification: | mal100.troj.winEXE@1/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: DRVf7H9j4V.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
89.197.154.115 | Get hash | malicious | CobaltStrike, Metasploit | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
VIRTUAL1GB | Get hash | malicious | CobaltStrike, Metasploit, ReflectiveLoader | Browse |
| |
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | Empire | Browse |
| ||
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | Metasploit | Browse |
|
File type: | |
Entropy (8bit): | 6.320795398128895 |
TrID: |
|
File name: | DRVf7H9j4V.exe |
File size: | 73'802 bytes |
MD5: | ef9e66020f10a61f05bc865b167248d5 |
SHA1: | d17d15d3234e278a6110d1f23ea3369c5c68238c |
SHA256: | ec8e8680522e7ecb16043670512d860de1f5ee95b7c3cadb4b6612e92a21af77 |
SHA512: | dd241344746df57562bcaded738acf032a4e6b1d969aabd5ce0fee2a132b730ab5a2ed3525d9f917ea108b26f8a1f94cec1fe003084a87e000805d9998dd5b24 |
SSDEEP: | 1536:IdySJofJXkkx6aplLfDogqZrDmxPOmHMZovycMb+KR0Nc8QsJq39:HSWJ6AdPq5uD/e0Nc8QsC9 |
TLSH: | CE73BF8285C84426D192113D67723B77AEB4F5FA3312C2DA794CCDE5EBD18B0926A3C7 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L...[l.J........... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40acb7 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4A186C5B [Sat May 23 21:36:27 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 481f47bbb2c9c21e108d65f52b04c448 |
Instruction |
---|
aaa |
std |
salc |
xchg eax, ebx |
salc |
cld |
dec ecx |
dec edx |
xchg eax, edx |
xchg eax, edx |
aaa |
std |
dec eax |
xchg eax, ebx |
std |
clc |
aaa |
cmc |
inc eax |
cmc |
daa |
inc ecx |
xchg eax, ecx |
inc eax |
aaa |
inc eax |
dec eax |
stc |
aaa |
inc ecx |
cwde |
cmc |
std |
inc eax |
clc |
cmc |
wait |
das |
cwde |
cmc |
wait |
lahf |
stc |
dec ebx |
dec eax |
cmc |
lahf |
salc |
daa |
std |
dec ebx |
inc ecx |
xchg eax, ecx |
inc edx |
inc eax |
dec ebx |
stc |
clc |
nop |
cdq |
xchg eax, edx |
aas |
wait |
inc ecx |
lahf |
xchg eax, ebx |
xchg eax, edx |
dec eax |
dec ecx |
lahf |
daa |
cmc |
inc ecx |
dec eax |
clc |
cld |
inc ebx |
dec ebx |
inc ecx |
xchg eax, ebx |
lahf |
dec ecx |
dec eax |
dec ecx |
inc eax |
cdq |
dec edx |
daa |
lahf |
inc ecx |
cld |
inc edx |
xchg eax, ebx |
cmc |
aas |
std |
wait |
xchg eax, edx |
salc |
aas |
inc ebx |
das |
xchg eax, ecx |
wait |
inc edx |
dec edx |
std |
salc |
salc |
dec ebx |
cmc |
inc ecx |
dec edx |
dec edx |
aas |
aas |
clc |
stc |
std |
dec ecx |
stc |
dec ecx |
inc edx |
inc edx |
aas |
stc |
clc |
cdq |
wait |
nop |
xchg eax, ebx |
salc |
inc eax |
jmp 00007F63A47FF584h |
mov eax, dword ptr [ebp-04h] |
dec esi |
mov edi, edx |
not al |
mov ecx, dword ptr [ecx] |
jnbe 00007F63A48092DCh |
fdiv st(0), st(4) |
pop ecx |
dec dword ptr [ebx-763F97FEh] |
call 00007F635705A2C1h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc76c | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x15000 | 0x7c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xc1e0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa966 | 0xb000 | be0895c261ed1f2c36850c00f27cbd88 | False | 0.8146750710227273 | data | 7.017108244459124 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xfe6 | 0x1000 | 25d7ceee3aa85bb3e8c5174736f6f830 | False | 0.46142578125 | DOS executable (COM, 0x8C-variant) | 5.318390353744998 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x705c | 0x4000 | 283b5f792323d57b9db4d2bcc46580f8 | False | 0.25634765625 | Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0 | 4.407841023203495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x15000 | 0x7c8 | 0x1000 | c13a9413aea7291b6fc85d75bfcde381 | False | 0.197998046875 | data | 1.958296025171192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x15060 | 0x768 | data | English | United States | 0.40189873417721517 |
DLL | Import |
---|---|
MSVCRT.dll | _iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp |
KERNEL32.dll | PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree |
ADVAPI32.dll | FreeSid, AllocateAndInitializeSid |
WSOCK32.dll | getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError |
WS2_32.dll | WSARecv, WSASend |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2024 16:48:07.285060883 CEST | 49704 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:07.290663958 CEST | 7700 | 49704 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:07.290751934 CEST | 49704 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:07.290910006 CEST | 49704 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:07.296689987 CEST | 7700 | 49704 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:08.929980040 CEST | 7700 | 49704 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:08.930071115 CEST | 49704 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:08.930639029 CEST | 49704 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:08.935415030 CEST | 7700 | 49704 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:13.947911024 CEST | 49705 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:13.952990055 CEST | 7700 | 49705 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:13.953099012 CEST | 49705 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:14.034622908 CEST | 49705 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:14.039520025 CEST | 7700 | 49705 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:15.632065058 CEST | 7700 | 49705 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:15.632210970 CEST | 49705 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:15.632404089 CEST | 49705 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:15.637361050 CEST | 7700 | 49705 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:20.646162987 CEST | 49706 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:20.651185036 CEST | 7700 | 49706 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:20.651284933 CEST | 49706 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:20.651420116 CEST | 49706 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:20.656600952 CEST | 7700 | 49706 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:22.237344027 CEST | 7700 | 49706 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:22.237468004 CEST | 49706 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:22.237622976 CEST | 49706 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:22.242470980 CEST | 7700 | 49706 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:27.242530107 CEST | 49713 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:27.247556925 CEST | 7700 | 49713 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:27.247736931 CEST | 49713 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:27.248523951 CEST | 49713 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:27.253443003 CEST | 7700 | 49713 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:28.846395969 CEST | 7700 | 49713 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:28.846558094 CEST | 49713 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:28.846669912 CEST | 49713 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:28.851411104 CEST | 7700 | 49713 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:33.849343061 CEST | 49714 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:33.854461908 CEST | 7700 | 49714 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:33.854608059 CEST | 49714 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:33.854751110 CEST | 49714 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:33.859591961 CEST | 7700 | 49714 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:35.440608025 CEST | 7700 | 49714 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:35.440773010 CEST | 49714 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:35.440881014 CEST | 49714 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:35.445682049 CEST | 7700 | 49714 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:40.443249941 CEST | 49715 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:40.448215008 CEST | 7700 | 49715 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:40.448355913 CEST | 49715 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:40.448544979 CEST | 49715 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:40.453278065 CEST | 7700 | 49715 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:42.068162918 CEST | 7700 | 49715 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:42.068270922 CEST | 49715 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:42.068398952 CEST | 49715 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:42.073319912 CEST | 7700 | 49715 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:47.085689068 CEST | 49716 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:47.090668917 CEST | 7700 | 49716 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:47.090785027 CEST | 49716 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:47.095710039 CEST | 49716 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:47.100516081 CEST | 7700 | 49716 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:48.742861032 CEST | 7700 | 49716 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:48.742944956 CEST | 49716 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:48.745078087 CEST | 49716 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:48.750086069 CEST | 7700 | 49716 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:53.755589008 CEST | 63653 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:53.760560989 CEST | 7700 | 63653 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:48:53.763885975 CEST | 63653 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:53.764013052 CEST | 63653 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:48:53.768867970 CEST | 7700 | 63653 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:07.277578115 CEST | 7700 | 63653 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:07.277687073 CEST | 63653 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:07.277825117 CEST | 63653 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:07.283054113 CEST | 7700 | 63653 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:12.286906958 CEST | 63654 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:12.291991949 CEST | 7700 | 63654 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:12.292115927 CEST | 63654 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:12.292284966 CEST | 63654 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:12.297576904 CEST | 7700 | 63654 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:13.897751093 CEST | 7700 | 63654 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:13.897838116 CEST | 63654 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:13.898063898 CEST | 63654 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:13.902849913 CEST | 7700 | 63654 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:18.913669109 CEST | 63655 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:18.918634892 CEST | 7700 | 63655 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:18.918781042 CEST | 63655 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:18.918940067 CEST | 63655 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:18.924060106 CEST | 7700 | 63655 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:20.528995991 CEST | 7700 | 63655 | 89.197.154.115 | 192.168.2.8 |
Sep 27, 2024 16:49:20.529052973 CEST | 63655 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:20.533181906 CEST | 63655 | 7700 | 192.168.2.8 | 89.197.154.115 |
Sep 27, 2024 16:49:20.538019896 CEST | 7700 | 63655 | 89.197.154.115 | 192.168.2.8 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2024 16:48:51.121382952 CEST | 53 | 57343 | 162.159.36.2 | 192.168.2.8 |
Sep 27, 2024 16:48:51.693257093 CEST | 53 | 64761 | 1.1.1.1 | 192.168.2.8 |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.8 | 49704 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:48:07.290910006 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.8 | 49705 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:48:14.034622908 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
2 | 192.168.2.8 | 49706 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:48:20.651420116 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
3 | 192.168.2.8 | 49713 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:48:27.248523951 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
4 | 192.168.2.8 | 49714 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:48:33.854751110 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
5 | 192.168.2.8 | 49715 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:48:40.448544979 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
6 | 192.168.2.8 | 49716 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:48:47.095710039 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
7 | 192.168.2.8 | 63653 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:48:53.764013052 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
8 | 192.168.2.8 | 63654 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:49:12.292284966 CEST | 328 | OUT |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
9 | 192.168.2.8 | 63655 | 89.197.154.115 | 7700 | 4136 | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2024 16:49:18.918940067 CEST | 328 | OUT |
Target ID: | 0 |
Start time: | 10:48:05 |
Start date: | 27/09/2024 |
Path: | C:\Users\user\Desktop\DRVf7H9j4V.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73'802 bytes |
MD5 hash: | EF9E66020F10A61F05BC865B167248D5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Execution Graph
Execution Coverage: | 4.4% |
Dynamic/Decrypted Code Coverage: | 28.3% |
Signature Coverage: | 17.4% |
Total number of Nodes: | 92 |
Total number of Limit Nodes: | 3 |
Graph
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00690225 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040140F Relevance: 1.3, APIs: 1, Instructions: 71COMMON
Control-flow Graph
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401390 Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040139A Relevance: 1.3, APIs: 1, Instructions: 24memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004013E4 Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004013FE Relevance: 1.3, APIs: 1, Instructions: 11memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004058A1 Relevance: .2, Instructions: 203COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040162C Relevance: .1, Instructions: 125COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00401E39 Relevance: .1, Instructions: 101COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004066E0 Relevance: .1, Instructions: 81COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004059A4 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004056B1 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040566F Relevance: .1, Instructions: 58COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004056C0 Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00408680 Relevance: .0, Instructions: 47COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004067C3 Relevance: .0, Instructions: 47COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 004056F0 Relevance: .0, Instructions: 30COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|