Windows Analysis Report
NLBgWmWGow.exe

Overview

General Information

Sample name: NLBgWmWGow.exe
renamed because original name is a hash value
Original sample name: f34858ad51b208fba47332eebcfa2cd0.exe
Analysis ID: 1522526
MD5: f34858ad51b208fba47332eebcfa2cd0
SHA1: 68a1f0b10fb9a75efa3f62fbf4984624f5b04809
SHA256: 82be5b66142d4141a92f318cf0b103e9dd01a5508e0ca468652376faa9d4b2e7
Tags: exeuser-abuse_ch
Infos:

Detection

Sliver
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Sliver Implants
AI detected suspicious sample
Machine Learning detection for sample
Potentially malicious time measurement code found
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Sliver According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: NLBgWmWGow.exe ReversingLabs: Detection: 65%
Source: NLBgWmWGow.exe Virustotal: Detection: 73% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.3% probability
Machine Learning detection for sample
Source: NLBgWmWGow.exe Joe Sandbox ML: detected
Source: NLBgWmWGow.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 4x nop then mov rdi, 0000800000000000h 5_2_008E7120
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 4x nop then mov rsi, r9 5_2_008E7EC0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49699 -> 206.189.41.151:8443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: ns1.mtls.ink
Installs a raw input device (often for capturing keystrokes)
Source: NLBgWmWGow.exe, 00000005.00000002.2524562692.000000C00001C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RegisterRawInputDevices memstr_8e9ce39f-8

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: NLBgWmWGow.exe, type: SAMPLE Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: NLBgWmWGow.exe, type: SAMPLE Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 00000005.00000000.1270976359.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008C60A0 5_2_008C60A0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_009068C0 5_2_009068C0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_00904000 5_2_00904000
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008C6980 5_2_008C6980
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008E4980 5_2_008E4980
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_00908100 5_2_00908100
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008CD120 5_2_008CD120
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008E9120 5_2_008E9120
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008E7120 5_2_008E7120
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_00906AA0 5_2_00906AA0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008DE260 5_2_008DE260
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008CBBA0 5_2_008CBBA0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008F33C0 5_2_008F33C0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008D4B40 5_2_008D4B40
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008DBCA0 5_2_008DBCA0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008E3CC0 5_2_008E3CC0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008E75A0 5_2_008E75A0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008DF520 5_2_008DF520
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008CC560 5_2_008CC560
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008F0560 5_2_008F0560
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008E7EC0 5_2_008E7EC0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008C6E40 5_2_008C6E40
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008D3E60 5_2_008D3E60
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008D8F80 5_2_008D8F80
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008F5FE0 5_2_008F5FE0
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008C9740 5_2_008C9740
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: String function: 00907340 appears 37 times
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: String function: 008F2BC0 appears 304 times
Yara signature match
Source: NLBgWmWGow.exe, type: SAMPLE Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: NLBgWmWGow.exe, type: SAMPLE Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 00000005.00000000.1270976359.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/1@1/1
Source: C:\Users\user\Desktop\NLBgWmWGow.exe File opened: C:\Windows\system32\33db74b0aa7deaed71a182d6a7ac4a6e49cb377fd8b76bee27669bf3bf1f0a09AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: NLBgWmWGow.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: NLBgWmWGow.exe ReversingLabs: Detection: 65%
Source: NLBgWmWGow.exe Virustotal: Detection: 73%
Source: C:\Users\user\Desktop\NLBgWmWGow.exe File read: C:\Users\user\Desktop\NLBgWmWGow.exe Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Section loaded: samlib.dll Jump to behavior
Source: NLBgWmWGow.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: NLBgWmWGow.exe Static file information: File size 15672832 > 1048576
Source: NLBgWmWGow.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x900400
Source: NLBgWmWGow.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x587c00
Source: NLBgWmWGow.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: NLBgWmWGow.exe Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_008D8BD4 push rax; retn 00A9h 5_2_008D8BD5
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_0091B800 rdtscp 5_2_0091B800
Source: NLBgWmWGow.exe, 00000005.00000002.2526349223.000001A9EB02C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_0091B800 Start: 0091B809 End: 0091B81F 5_2_0091B800
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Code function: 5_2_0091B800 rdtscp 5_2_0091B800
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NLBgWmWGow.exe Queries volume information: C:\Users\user\Desktop\NLBgWmWGow.exe VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Sliver Implants
Source: Yara match File source: 00000005.00000002.2524562692.000000C000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Sliver Implants
Source: Yara match File source: 00000005.00000002.2524562692.000000C000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522526 Sample: NLBgWmWGow.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 76 10 ns1.mtls.ink 2->10 14 Malicious sample detected (through community Yara rule) 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 Yara detected Sliver Implants 2->18 20 2 other signatures 2->20 6 NLBgWmWGow.exe 2->6         started        signatures3 process4 dnsIp5 12 ns1.mtls.ink 206.189.41.151, 49699, 49701, 49707 DIGITALOCEAN-ASNUS United States 6->12 22 Potentially malicious time measurement code found 6->22 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
206.189.41.151
 ns1.mtls.ink United States
14061 DIGITALOCEAN-ASNUS false

Contacted Domains

Name IP Active
ns1.mtls.ink 206.189.41.151 true