Source: NLBgWmWGow.exe |
ReversingLabs: Detection: 65% |
Source: NLBgWmWGow.exe |
Virustotal: Detection: 73% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.3% probability |
Source: NLBgWmWGow.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 4x nop then mov rdi, 0000800000000000h |
5_2_008E7120 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 4x nop then mov rsi, r9 |
5_2_008E7EC0 |
Source: global traffic |
TCP traffic: 192.168.2.7:49699 -> 206.189.41.151:8443 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: ns1.mtls.ink |
Source: NLBgWmWGow.exe, 00000005.00000002.2524562692.000000C00001C000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: RegisterRawInputDevices |
memstr_8e9ce39f-8 |
Source: NLBgWmWGow.exe, type: SAMPLE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: NLBgWmWGow.exe, type: SAMPLE |
Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen |
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen |
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen |
Source: 00000005.00000000.1270976359.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008C60A0 |
5_2_008C60A0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_009068C0 |
5_2_009068C0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_00904000 |
5_2_00904000 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008C6980 |
5_2_008C6980 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008E4980 |
5_2_008E4980 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_00908100 |
5_2_00908100 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008CD120 |
5_2_008CD120 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008E9120 |
5_2_008E9120 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008E7120 |
5_2_008E7120 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_00906AA0 |
5_2_00906AA0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008DE260 |
5_2_008DE260 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008CBBA0 |
5_2_008CBBA0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008F33C0 |
5_2_008F33C0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008D4B40 |
5_2_008D4B40 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008DBCA0 |
5_2_008DBCA0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008E3CC0 |
5_2_008E3CC0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008E75A0 |
5_2_008E75A0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008DF520 |
5_2_008DF520 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008CC560 |
5_2_008CC560 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008F0560 |
5_2_008F0560 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008E7EC0 |
5_2_008E7EC0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008C6E40 |
5_2_008C6E40 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008D3E60 |
5_2_008D3E60 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008D8F80 |
5_2_008D8F80 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008F5FE0 |
5_2_008F5FE0 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008C9740 |
5_2_008C9740 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: String function: 00907340 appears 37 times |
|
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: String function: 008F2BC0 appears 304 times |
|
Source: NLBgWmWGow.exe, type: SAMPLE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: NLBgWmWGow.exe, type: SAMPLE |
Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team |
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: 5.0.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team |
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: 5.2.NLBgWmWGow.exe.8c0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team |
Source: 00000005.00000000.1270976359.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: 00000005.00000002.2523870276.0000000001404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/1@1/1 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
File opened: C:\Windows\system32\33db74b0aa7deaed71a182d6a7ac4a6e49cb377fd8b76bee27669bf3bf1f0a09AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: NLBgWmWGow.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: NLBgWmWGow.exe |
ReversingLabs: Detection: 65% |
Source: NLBgWmWGow.exe |
Virustotal: Detection: 73% |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
File read: C:\Users\user\Desktop\NLBgWmWGow.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Section loaded: samlib.dll |
Jump to behavior |
Source: NLBgWmWGow.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: NLBgWmWGow.exe |
Static file information: File size 15672832 > 1048576 |
Source: NLBgWmWGow.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x900400 |
Source: NLBgWmWGow.exe |
Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x587c00 |
Source: NLBgWmWGow.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: NLBgWmWGow.exe |
Static PE information: section name: .symtab |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_008D8BD4 push rax; retn 00A9h |
5_2_008D8BD5 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_0091B800 rdtscp |
5_2_0091B800 |
Source: NLBgWmWGow.exe, 00000005.00000002.2526349223.000001A9EB02C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_0091B800 Start: 0091B809 End: 0091B81F |
5_2_0091B800 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Code function: 5_2_0091B800 rdtscp |
5_2_0091B800 |
Source: C:\Users\user\Desktop\NLBgWmWGow.exe |
Queries volume information: C:\Users\user\Desktop\NLBgWmWGow.exe VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000005.00000002.2524562692.000000C000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR |
Source: Yara match |
File source: 00000005.00000002.2524562692.000000C000060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: NLBgWmWGow.exe PID: 2192, type: MEMORYSTR |