Windows
Analysis Report
NLBgWmWGow.exe
Overview
General Information
Sample name: | NLBgWmWGow.exerenamed because original name is a hash value |
Original sample name: | f34858ad51b208fba47332eebcfa2cd0.exe |
Analysis ID: | 1522526 |
MD5: | f34858ad51b208fba47332eebcfa2cd0 |
SHA1: | 68a1f0b10fb9a75efa3f62fbf4984624f5b04809 |
SHA256: | 82be5b66142d4141a92f318cf0b103e9dd01a5508e0ca468652376faa9d4b2e7 |
Tags: | exeuser-abuse_ch |
Infos: | |
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- NLBgWmWGow.exe (PID: 2192 cmdline:
"C:\Users\ user\Deskt op\NLBgWmW Gow.exe" MD5: F34858AD51B208FBA47332EEBCFA2CD0)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Sliver | According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
| |
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
|
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: | 5_2_008E7120 | |
Source: | Code function: | 5_2_008E7EC0 |
Source: | TCP traffic: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | Binary or memory string: | memstr_8e9ce39f-8 |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 5_2_008C60A0 | |
Source: | Code function: | 5_2_009068C0 | |
Source: | Code function: | 5_2_00904000 | |
Source: | Code function: | 5_2_008C6980 | |
Source: | Code function: | 5_2_008E4980 | |
Source: | Code function: | 5_2_00908100 | |
Source: | Code function: | 5_2_008CD120 | |
Source: | Code function: | 5_2_008E9120 | |
Source: | Code function: | 5_2_008E7120 | |
Source: | Code function: | 5_2_00906AA0 | |
Source: | Code function: | 5_2_008DE260 | |
Source: | Code function: | 5_2_008CBBA0 | |
Source: | Code function: | 5_2_008F33C0 | |
Source: | Code function: | 5_2_008D4B40 | |
Source: | Code function: | 5_2_008DBCA0 | |
Source: | Code function: | 5_2_008E3CC0 | |
Source: | Code function: | 5_2_008E75A0 | |
Source: | Code function: | 5_2_008DF520 | |
Source: | Code function: | 5_2_008CC560 | |
Source: | Code function: | 5_2_008F0560 | |
Source: | Code function: | 5_2_008E7EC0 | |
Source: | Code function: | 5_2_008C6E40 | |
Source: | Code function: | 5_2_008D3E60 | |
Source: | Code function: | 5_2_008D8F80 | |
Source: | Code function: | 5_2_008F5FE0 | |
Source: | Code function: | 5_2_008C9740 |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 5_2_008D8BD5 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Code function: | 5_2_0091B800 |
Source: | Binary or memory string: |
Anti Debugging |
---|
Source: | Code function: | 5_2_0091B800 |
Source: | Code function: | 5_2_0091B800 |
Source: | Queries volume information: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 11 Input Capture | 11 Security Software Discovery | Remote Services | 11 Input Capture | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 11 System Information Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 3 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
66% | ReversingLabs | Win64.Trojan.SliverMarte | ||
74% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
ns1.mtls.ink | 206.189.41.151 | true | false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
206.189.41.151 | ns1.mtls.ink | United States | 14061 | DIGITALOCEAN-ASNUS | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1522526 |
Start date and time: | 2024-09-30 10:03:37 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | NLBgWmWGow.exerenamed because original name is a hash value |
Original Sample Name: | f34858ad51b208fba47332eebcfa2cd0.exe |
Detection: | MAL |
Classification: | mal76.troj.evad.winEXE@1/1@1/1 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Execution Graph export aborted for target NLBgWmWGow.exe, PID 2192 because there are no executed function
- Not all processes where analyzed, report is missing behavior information
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ns1.mtls.ink | Get hash | malicious | Sliver | Browse |
| |
Get hash | malicious | Sliver | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
DIGITALOCEAN-ASNUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Users\user\Desktop\NLBgWmWGow.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 160 |
Entropy (8bit): | 4.438743916256937 |
Encrypted: | false |
SSDEEP: | 3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty |
MD5: | E467C82627F5E1524FDB4415AF19FC73 |
SHA1: | B86E3AA40E9FBED0494375A702EABAF1F2E56F8E |
SHA-256: | 116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540 |
SHA-512: | 2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 6.10917788007758 |
TrID: |
|
File name: | NLBgWmWGow.exe |
File size: | 15'672'832 bytes |
MD5: | f34858ad51b208fba47332eebcfa2cd0 |
SHA1: | 68a1f0b10fb9a75efa3f62fbf4984624f5b04809 |
SHA256: | 82be5b66142d4141a92f318cf0b103e9dd01a5508e0ca468652376faa9d4b2e7 |
SHA512: | 2adba33e4a9e1fa1c9d362190515ec37c3c46edecbefd14d547d29e04d633a7ae468189c146ed01f95b7616e3663bb1c5ccb27811d82f1e7ad7c473bbcae4039 |
SSDEEP: | 98304:h63dpYiApoaf25MqGpseB//7C7Y6bEZHCiOUTra2sE3KPcq7:0dpY9oaIGpz//7C7FEZHCiOUTm2Fz8 |
TLSH: | 33F60803E8D51198C8F9D1B489254272BA70785C1B7933DB2B61F7B52B327F09EBA790 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........$........"...........................@..............................P............`... ............................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x45d0a0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x0 [Thu Jan 1 00:00:00 1970 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | f0ea7b7844bbc5bfa9bb32efdcea957c |
Instruction |
---|
jmp 00007F1E98806BB0h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
pushfd |
cld |
dec eax |
sub esp, 000000E0h |
dec eax |
mov dword ptr [esp], edi |
dec eax |
mov dword ptr [esp+08h], esi |
dec eax |
mov dword ptr [esp+10h], ebp |
dec eax |
mov dword ptr [esp+18h], ebx |
dec esp |
mov dword ptr [esp+20h], esp |
dec esp |
mov dword ptr [esp+28h], ebp |
dec esp |
mov dword ptr [esp+30h], esi |
dec esp |
mov dword ptr [esp+38h], edi |
movups dqword ptr [esp+40h], xmm6 |
movups dqword ptr [esp+50h], xmm7 |
inc esp |
movups dqword ptr [esp+60h], xmm0 |
inc esp |
movups dqword ptr [esp+70h], xmm1 |
inc esp |
movups dqword ptr [esp+00000080h], xmm2 |
inc esp |
movups dqword ptr [esp+00000090h], xmm3 |
inc esp |
movups dqword ptr [esp+000000A0h], xmm4 |
inc esp |
movups dqword ptr [esp+000000B0h], xmm5 |
inc esp |
movups dqword ptr [esp+000000C0h], xmm6 |
inc esp |
movups dqword ptr [esp+000000D0h], xmm7 |
dec eax |
sub esp, 30h |
dec ecx |
mov ebp, ecx |
dec ecx |
mov edi, eax |
dec eax |
mov edx, dword ptr [00EC8B63h] |
dec eax |
mov edx, dword ptr [edx] |
dec eax |
cmp edx, 00000000h |
jne 00007F1E9880A87Eh |
dec eax |
mov eax, 00000000h |
jmp 00007F1E9880A943h |
dec eax |
mov edx, dword ptr [edx] |
dec eax |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf3a000 | 0x490 | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xf3b000 | 0x284d6 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xe8a040 | 0x148 | .data |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x9002fd | 0x900400 | 675bd67d71e08d8a302d0991b341f00c | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x902000 | 0x587b08 | 0x587c00 | 124275e4b4bf4b15b3576dfc0cdec530 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xe8a000 | 0xaf370 | 0x41200 | eb5c7d00ae6f649d5bb1048bd90f2a0c | False | 0.38792586372360843 | data | 4.7843240249317125 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xf3a000 | 0x490 | 0x600 | 441873a8a8adf8196028290db6812a9c | False | 0.3365885416666667 | data | 3.6138419384379086 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.reloc | 0xf3b000 | 0x284d6 | 0x28600 | d79d74bba0145021f540c69a9e37200b | False | 0.13766205495356038 | data | 5.449915994087614 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.symtab | 0xf64000 | 0x4 | 0x200 | 07b5472d347d42780469fb2654b7fc54 | False | 0.02734375 | data | 0.020393135236084953 | IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
DLL | Import |
---|---|
kernel32.dll | WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 30, 2024 10:04:34.806612015 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:34.820440054 CEST | 8443 | 49699 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:34.820544004 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:34.821121931 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:34.825954914 CEST | 8443 | 49699 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:35.859658957 CEST | 8443 | 49699 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:35.877702951 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:35.882590055 CEST | 8443 | 49699 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:35.994426012 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:35.994473934 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:35.999464035 CEST | 8443 | 49699 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:35.999483109 CEST | 8443 | 49699 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:36.992240906 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:36.992240906 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:36.994107008 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:36.997140884 CEST | 8443 | 49699 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:36.997454882 CEST | 8443 | 49699 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:36.997524977 CEST | 49699 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:36.998960972 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:36.999051094 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:36.999294996 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:37.004489899 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:38.022294044 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:38.024441957 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:38.024475098 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:38.024475098 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:38.029514074 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:38.029520988 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:38.029536009 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:38.419040918 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:38.462344885 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:39.455280066 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:39.455338955 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:04:39.460334063 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:39.460549116 CEST | 8443 | 49701 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:04:39.460629940 CEST | 49701 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:00.857736111 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:00.887259007 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:00.887403011 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:00.890764952 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:00.897571087 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:01.800367117 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:01.802351952 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:01.802397966 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:01.802449942 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:01.807192087 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:01.807301044 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:01.807310104 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:02.137115002 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:02.178258896 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:02.275116920 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:02.318856001 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:03.287885904 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:03.287976027 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Sep 30, 2024 10:06:03.293414116 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:03.293431044 CEST | 8443 | 49707 | 206.189.41.151 | 192.168.2.7 |
Sep 30, 2024 10:06:03.293581963 CEST | 49707 | 8443 | 192.168.2.7 | 206.189.41.151 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 30, 2024 10:04:34.587204933 CEST | 50109 | 53 | 192.168.2.7 | 1.1.1.1 |
Sep 30, 2024 10:04:34.782253027 CEST | 53 | 50109 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Sep 30, 2024 10:04:34.587204933 CEST | 192.168.2.7 | 1.1.1.1 | 0x6304 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Sep 30, 2024 10:04:34.782253027 CEST | 1.1.1.1 | 192.168.2.7 | 0x6304 | No error (0) | 206.189.41.151 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Target ID: | 5 |
Start time: | 04:04:33 |
Start date: | 30/09/2024 |
Path: | C:\Users\user\Desktop\NLBgWmWGow.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x8c0000 |
File size: | 15'672'832 bytes |
MD5 hash: | F34858AD51B208FBA47332EEBCFA2CD0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | Go lang |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Function 008CC560 Relevance: 8.0, Strings: 6, Instructions: 510COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008CBBA0 Relevance: 6.6, Strings: 5, Instructions: 349COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D8F80 Relevance: 5.5, Strings: 4, Instructions: 545COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 009068C0 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C6E40 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C60A0 Relevance: 2.9, Strings: 2, Instructions: 381COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008F0560 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008F33C0 Relevance: 2.7, Strings: 2, Instructions: 246COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008F5FE0 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00904000 Relevance: 1.6, Strings: 1, Instructions: 391COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008E75A0 Relevance: 1.6, Strings: 1, Instructions: 346COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008E4980 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00906AA0 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D3E60 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008E9120 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D4B40 Relevance: .3, Instructions: 327COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C6980 Relevance: .3, Instructions: 260COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008E7120 Relevance: .2, Instructions: 207COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008E7EC0 Relevance: .2, Instructions: 193COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008DBCA0 Relevance: .2, Instructions: 183COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C9740 Relevance: .2, Instructions: 161COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00908100 Relevance: .2, Instructions: 155COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008DE260 Relevance: .1, Instructions: 130COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008DF520 Relevance: .1, Instructions: 108COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008CD120 Relevance: .1, Instructions: 99COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008E3CC0 Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0091B800 Relevance: .0, Instructions: 11COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D75C0 Relevance: 12.9, Strings: 10, Instructions: 351COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C7A60 Relevance: 12.7, Strings: 10, Instructions: 194COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C84E0 Relevance: 11.4, Strings: 9, Instructions: 167COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C1060 Relevance: 9.1, Strings: 7, Instructions: 306COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C9080 Relevance: 8.9, Strings: 7, Instructions: 170COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008EDEE0 Relevance: 8.8, Strings: 7, Instructions: 68COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D779E Relevance: 6.4, Strings: 5, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D7798 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77AA Relevance: 6.4, Strings: 5, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77BC Relevance: 6.4, Strings: 5, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77B6 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77B0 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77C2 Relevance: 6.4, Strings: 5, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77C8 Relevance: 6.4, Strings: 5, Instructions: 112COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D780B Relevance: 6.4, Strings: 5, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D7805 Relevance: 6.4, Strings: 5, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D781D Relevance: 6.4, Strings: 5, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D7817 Relevance: 6.4, Strings: 5, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D7811 Relevance: 6.4, Strings: 5, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D7823 Relevance: 6.4, Strings: 5, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77FF Relevance: 6.4, Strings: 5, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D77F9 Relevance: 6.4, Strings: 5, Instructions: 106COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008C15C0 Relevance: 5.4, Strings: 4, Instructions: 445COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008DC620 Relevance: 5.3, Strings: 4, Instructions: 314COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D9A60 Relevance: 5.2, Strings: 4, Instructions: 198COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00904E40 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008CD3A0 Relevance: 5.2, Strings: 4, Instructions: 163COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 008D58E0 Relevance: 5.1, Strings: 4, Instructions: 131COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|