Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Analysis ID:	1532505
MD5:	2452e269ee2a615e90c5e19a373b0239
SHA1:	6e02258265d33f5d622997091065953c4730ec10
SHA256:	4c0dbbf022d7dfc0b4eacb34dbb4d41e3fd860c04057362002a5d4a6e0220a55
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Enables debug privileges

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe" MD5: 2452E269EE2A615E90C5E19A373B0239)

conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 18.166.250.135:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\bin\Release\Bootstrapper.pdb source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Source: global traffic

HTTP traffic detected: GET /quiving/Solara/raw/branch/main/Files/endpoint HTTP/1.1Host: gitea.comConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /quiving/Solara/raw/branch/main/Files/endpoint HTTP/1.1Host: gitea.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: gitea.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 13 Oct 2024 12:27:01 GMTContent-Type: text/plain;charset=utf-8Content-Length: 11Connection: closeCache-Control: max-age=0, private, must-revalidate, no-transformServer: CaddySet-Cookie: i_like_gitea=775661cd8dc0adc0; Path=/; HttpOnly; Secure; SameSite=LaxSet-Cookie: _csrf=6ppViQ1aeWleoIZL9QKPor9alOY6MTcyODgyMjQyMTcxMzI0NzM3MA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=LaxX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGIN

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gitea.com
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gitea.comd
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://aka.ms/vs/16/release/vc_redist.x64.exe#vc_redist.x64.exeiVisual
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exeiWebView2
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gitea.com
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://gitea.com/quiving/Solara/raw/branch/main/Files/endpoint
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 18.166.250.135:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2942925913.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000000.1696542029.000000000068A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.evad.winEXE@2/0@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Mutant created: NULL

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	ReversingLabs: Detection: 52%
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Virustotal: Detection: 54%

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: pv]Error checking WebView2 runtime installation: chttps://go.microsoft.com/fwlink/p/?LinkId=2124703=MicrosoftEdgeWebview2Setup.exe!/silent /installQWebView2 runtime installed successfully.qWebView2 runtime installation failed with exit code {0}.GError installing WebView2 runtime: iSOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	String found in binary or memory: Version3Error checking registry: ]https://aka.ms/vs/16/release/vc_redist.x64.exe#vc_redist.x64.exeiVisual C++ Redistributable installer downloaded to: 5/install /quiet /norestart

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Section loaded: gpapi.dll	Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\bin\Release\Bootstrapper.pdb source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Memory allocated: 4990000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe TID: 6848

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2942925913.0000000000E05000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	53%	ReversingLabs	Win32.Trojan.AgentTesla
SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	55%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
gitea.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.nuget.org/packages/Newtonsoft.Json.Bson	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://www.newtonsoft.com/jsonschema	0%	URL Reputation	safe
https://aka.ms/vs/17/release/vc_redist.x64.exe	0%	Virustotal		Browse
https://aka.ms/vs/17/release/vc_redist.x64.exeiWebView2	0%	Virustotal		Browse
https://gitea.com	1%	Virustotal		Browse
https://gitea.com/quiving/Solara/raw/branch/main/Files/endpoint	0%	Virustotal		Browse
http://gitea.com	1%	Virustotal		Browse
https://aka.ms/vs/16/release/vc_redist.x64.exe#vc_redist.x64.exeiVisual	0%	Virustotal		Browse
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gitea.com	18.166.250.135	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gitea.com/quiving/Solara/raw/branch/main/Files/endpoint	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/vs/17/release/vc_redist.x64.exe	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://gitea.com	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	false	0%, Virustotal, Browse	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	false	URL Reputation: safe	unknown
http://gitea.comd	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/vs/17/release/vc_redist.x64.exeiWebView2	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	false	0%, Virustotal, Browse	unknown
http://gitea.com	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, 00000000.00000002.2943769676.0000000002991000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/vs/16/release/vc_redist.x64.exe#vc_redist.x64.exeiVisual	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	false	0%, Virustotal, Browse	unknown
http://james.newtonking.com/projects/json	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.166.250.135	gitea.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532505
Start date and time:	2024-10-13 14:26:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@2/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe, PID 6884 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.166.250.135	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gitea.com	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse	18.166.250.135

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	54.214.132.50
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	157.175.218.20
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	18.251.142.227
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	849128312.cmd	Get hash	malicious	Unknown	Browse	54.231.171.137
	na.elf	Get hash	malicious	Mirai	Browse	44.240.65.146
	https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AAAjUdfNc16+VqCOWdjhu7TjhebDwXm6ITDaAzM2/RBqTCouOd4syZWt0oQeHch0J32d09qewtBep0xMzEqQw5uCDD5jzGMptv2Ml8tKG/C8CtlmUW+BwgihXDjkVb9+HrdQMTDnH/ltKCqbqkeSWCTVbTbsi7hQm50lkSO+uIKP+WaZVK5CwB+KNw5vz0h1+VWB9nXYS7r/65KwDXG1eoQ7LpgExf5uqFhJOeKU2lxyf8MZFWma+Jpcd8qAgpI5cl3w3zd+Vm0EYEfvHWX+4U6+p25bR3xOeQgBPB06jegeQ9cdnaCwg3Jra3NPSUfO/ZRQe9TJEW4VVwilXp7v0mwUyqJcK2y5kBNWNZEBnnQaAV+iawzJY19HetwEfzVabFBg3HhgYGx7XFWZYjHTHjwVWsbkjfgBb5461v0CHJjM9jrxfdj1kWIpcxid8O+dUSurKUOY4Hbb6SKXakBTmnkrYs0n3Xg5Ig==&c=AABu3sW2q3Ir8ifQJAijAhNJKq0uXwwF4aGWbgefQqJepVeNmQ2aDLrgth/4e3uZIWGGIQ8D3UPNbSnpgolkZPjCVjLlF8o96RZE6aKBP9hbbWDin7ntLRUM+OO5f3pIO2jZnmZof+ubVBUQEbWFAbo8xkwwPjD2yomWYO9BLauUbPdhe7sTeQubBshJfuD8IakpYR9mWvaRkj7jNE3uduhHnJqo59l67j+0INR7XdqioPPPYIlYt8Y2ErrD/Hm1x7Ub0JlpSy2dIylu82OHsbPe2IgE0AfUZGQlqmZjkJjdk/1R+5UTAbpM4Ru2nPA1W7k8m3b56CPQfp4Nfu7t5KTvxCSLpsyTXBp2H+CLMJgrqBWvScKuAGZzoBftoxN6AlJm7/tBk90HG/fSCigf6L5/vrhdqLwDnA3umOCSZNa6Rd/lq2DBocN9C5i+TM7dwQouAP+UKgVQf4ATMh19VLexy/mmb76HgGZt4HtVGufMb6cC2I7sVZK9dBduwlRzxT47SRfRKthnR5h3xirvQPbRJwRGy1YOGI3PBe6L8zkZnlHm4NWF1riKc7NfDV2jKR/ux1g+p2dIOZSC6QRSQfNi2L0zb9mMJvmZGJpdRbwk09T/RgLB6/6oigEcyMOmQDpPT8ma	Get hash	malicious	Unknown	Browse	18.245.46.78
	https://confortdelaine.net/_t/c/A1020005-17FCBF5826D778A0-C9FF7535?l=AACrcmbDni/ExL+6O84qnOq7s+7FEV7f2cEnFZCBGkVuVLwxJJ9kIF+/XsJvnT/ZZCSNu0ZPkHJMldgNU5hySzD4vbkLFmicZpeb27RRNiBBqzluO2njDgWrhNVOuuG5KecX01qr4Wu4+GPJbk1wcH4NmoDfnECMgEyVdYVJNd9SJ/Z6oeOmLYfmhHtJEcZB1zTo2XcCZUK4o1X55Z6mDqHfXia9/zchVngkbUJFubdOeeGrUXmliV4kA4X0r42Yjp3RKfpMvJU0dvSKL9oGxXQi9sD/MbbP4pxgNW6CajbdZVfsCIontUHWT1eFW4HrQm9NkGaKTegqBxEs/bh3fwfINtkSa08UEhuWP97GhgCO8AMh0qPvYF1Rp7eiHGFkb8QogMMfuDrW2QnTqHRWnTzitTqkjecFMC67nh1FVX/+SWo05+3MmWfzaTxkwp1iAJoDUcmTFcR0WSTfeepWakTIU1exnjYHjHsm9FYU&c=AABJIKCyntddafHrxXwMffbew9PUcwQ56WCR8mvcT/7tDRFoJSRw3QNX02Q/MIVoixgn9dE9sMMP0GDnwqQ0LdLGXfvFaDm4lnRP0nKKMx/K5F9QxPOFroSM5e8+RBG+qqCfBnKxbWihL3/38edMaV7uTv7a0UGb2nVUF+n7XQAl2QSudEpYlV++l35LZxi6JWsnjixzdQpF+bXikFz1oYDN6GSuDb0op6aViO8V/0UhqnTHHddY9/cqyxhVsr874sBNA2avRHpdaXr1CP2PeHJcUgsGQb+Q5ZsuH9DAP++Oq7lFPe0lbuV3tYUIr/YAS6C7DT9Oee2yUkZYYTbI0bVJgmpWHa/G9q/wBFVVHuCTY5U3Rk5FsGRYQV6gWYrnX5DIQf3ZS3CM9xlUC2XMY8/htbCHQHuT5hjcDdzUTL+rWXnJ/TpkKPDyDGmCQh8idvsKAqOWIYWkO3X5LUWuEryoODEKawcYmYfc7zahLtlk7MGx3wWvCKqqkAg6bFwWWKWXURv3AGYvESLycicJVk8PxbBHrVkb/ZjVWsbKsit0CCZTx+7Bs7ZMtFKW5bo+GHe3oXwvXrlQS2IjtYPTG6q1fOR5753mseQVzhjXvKuOJkAQb03nyAw9hJo2vgadjjmOtgB9	Get hash	malicious	Unknown	Browse	18.245.46.2
	https://confortdelaine.net/_t/c/A1020005-17FC1B6DB5BD9241-7C90090F?l=AADy6+7GSFDtie9t8Cg/YUEnWHeQNpQUM5LtDe7UJMsLOceAyoyG1gPOseIEt6wEQOIS0cQG9+43HQOpwin+IcDGpXOmivIAoIj+kjiIGL1D2+8BvnDBEaMAH0f591eHch8eVhYXQMKLzHwgDODg3wt5JqhlbP9RQzflWbxkgz8rcLW9fZi6fO8I2q/H/mufxAmprX0pckYJIlZDOjEWtANKm9qQyuOPBTmTxFfQ7lSnZTWTopfzM4iUzlHH6YHH2Gwf9rOJKxuawJshVk1D6tC4SPWT4Qn+EH36v6noVRG1OVZuyh8POMokxISZrUYw04m/WI9EIj5YnXnJ0pu3aN84TxZoMpQWLf/bmERiIc3Nyv1tTCdvcY5yUV048SjizDEvcSo7xAYIkZcbJD4FxApNB4P7tHx7BM4Ye85I4pWktamhPb27vCl/+uYQPRubCgSnJCgEpm957xU4Pe9/Mw441Bx0a9Cw1g==&c=AAAMLqZiPcHPCafs0rFGm1fIkoNaTXck7ODBjyaeBBJn4WJkh+1bSUuW3EZ3mxfwfU+bqGXZerIBh+MSgUxyjr2dBgbCYcsfxsvjUb8rm3+6Y+MBXQzywIZk3yyBwMGrGcyqAW4sC8CEsQLo0qa26hZf6P5Mds0gAcBhLOQHNHGs04Bz8kP6rN3oyHvKAVKj6q6jh+o5tCfFCSfoFphn1jIlhz58l/iThGupLjhturtvKm1NOX3hQvVyGuodJdqpVFaaDIitHXcYMqB9UmB9x5Je567LlrJzANu3yeDnFlF+FPlEJBxfqHj5MAKq9a5hjcUMFWRj2C1f6q3FTviqfxGBcXqL6mjrfRn2e6SZ3cLMdbrvJF8+K9bEjK0z+DPrn/wowMPNg/sWBhdBb591VOmiiOgz82MQYX1oZvuxWVx8Ss8Y39FUpF/cGTcZLojkZK6/ZSGPHVUwgwezuarqDmRh2tnVahKh1zxiH7oFrg0dqApoWgloHFVuYES+Zx6Fwu8ffg2y+FHXsyJlLjARsT0dR3inuufunKnxFU0f0p8osK+QnybUWCcqfkqTetWNzB5Z8asqQvYhVbUlxqje0VAbhML1S+q4B7u3yifa6/t82x0LbRE1kHeNSO2USFPZmw2CUqF5	Get hash	malicious	Unknown	Browse	35.157.212.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	849128312.cmd	Get hash	malicious	Unknown	Browse	18.166.250.135
	SecuriteInfo.com.Win32.MalwareX-gen.14234.12476.exe	Get hash	malicious	Unknown	Browse	18.166.250.135
	http://servicesopm.com/login.php	Get hash	malicious	Unknown	Browse	18.166.250.135
	H#0813-186765.vbs	Get hash	malicious	AsyncRAT	Browse	18.166.250.135
	1728716649a09efaf02e58304d0d9f63a90bc410d1231b676f0024be47cb0cc1f511df7bca961.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	18.166.250.135
	20062024150836 11.10.2024.vbe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	18.166.250.135
	Purchase Order No. 4500017624.js	Get hash	malicious	AgentTesla	Browse	18.166.250.135
	narud#U017ebenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf	Get hash	malicious	Remcos, GuLoader	Browse	18.166.250.135
	https://document.cert-sha256.com/pages/10ab5b62ac22/XdXJasPWh0dHqBzOi8vZGo9jdW1ldmbnQufY2VydC1zfaGkEyNTYuY29tL3BhZ2VzhLzEwYWI1YjYyYWMyMiZlbWFpbF90ZW1wbGF0ZV9pZD04MjI4NjI5JmFjdGlvbj1wcmV2aWV3JnVzZXJfaWQ9NzM0MTE0NTY=	Get hash	malicious	Unknown	Browse	18.166.250.135
	http://starlightps.org/	Get hash	malicious	Unknown	Browse	18.166.250.135

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.597571432264211
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
File size:	816'128 bytes
MD5:	2452e269ee2a615e90c5e19a373b0239
SHA1:	6e02258265d33f5d622997091065953c4730ec10
SHA256:	4c0dbbf022d7dfc0b4eacb34dbb4d41e3fd860c04057362002a5d4a6e0220a55
SHA512:	2542dbbedd0d7df24fb8327665ddde1abe3a8ac37e2a30d65295273c7565779f41c0513cc04849078eb19f580f00e61c3a089c89dd64a7d4aea6751d96a622aa
SSDEEP:	12288:tgKN3biG+NgNbbwjlkr3oAQ2jFVfGBc4XqCon9hUpVo34u:aKNr7+Er3oAQ2jFVGBHXqlF4u
TLSH:	50054A15BBE8DB13E1AF6771E8B08B2417B5E042E362E78F154817E92C437096CA536F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................j............... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4c88aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A2AC98 [Thu Jul 25 19:50:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004C88B8h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov word ptr [eax+0000000Ch], cs
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cwde
lodsb
mov byte ptr [00000066h], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [edi+00h], dh
add byte ptr [eax], al
fmul qword ptr [eax+6ADC000Ch]
or al, 00h
push edx
push ebx
inc esp
push ebx
arpl word ptr [esi+55h], si
inc edi
pop ecx
dec ecx
inc ecx
scasd
push esi
js 00007F8AFD25925Eh
in eax, 17h
sbb cl, byte ptr [edx+00000001h]
inc ebx
cmp bl, byte ptr [ebp+edx*2+73h]
jc 00007F8AFD259336h
pop esp
inc ecx
jnc 00007F8AFD25932Ah
je 00007F8AFD25932Bh
outsb
pop esp
inc esp
jnc 00007F8AFD25932Eh
je 00007F8AFD259331h
jo 00007F8AFD25931Eh
push edi
push esp
inc esi
pop esp
push ebx
outsd
insb
popad
jc 00007F8AFD259323h
inc edx
outsd
outsd
je 00007F8AFD259335h
je 00007F8AFD259334h
popad
jo 00007F8AFD259332h
jc 00007F8AFD25931Fh
push ebx
outsd
insb
popad
jc 00007F8AFD259323h
inc edx
outsd
outsd
je 00007F8AFD259335h
je 00007F8AFD259334h
popad
jo 00007F8AFD259332h
jc 00007F8AFD25931Fh
bound ebp, dword ptr [ecx+6Eh]
pop esp
push edx
insb
popad
jnc 00007F8AFD259327h
pop esp
inc edx
outsd
outsd
je 00007F8AFD259335h
je 00007F8AFD259334h
popad
jo 00007F8AFD259332h
jc 00007F8AFD2592F1h
jo 00007F8AFD259326h
bound eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc885c	0x4c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xca000	0x575	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc88c0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc88b8	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc6953	0xc6a00	090cd6467469a9a8f39f2a8454b797c9	False	0.3454646692101951	data	5.603198343916829	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xca000	0x575	0x600	706ed0398f1aa324656eb5102ff400cf	False	0.39453125	data	3.770686100904012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	ca907b0617da5a5a8707f014c49f4e10	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xca090	0x36c	data			0.3995433789954338
RT_MANIFEST	0xca40c	0x169	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.6204986149584487

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 14:27:00.325134039 CEST	49730	443	192.168.2.4	18.166.250.135
Oct 13, 2024 14:27:00.325180054 CEST	443	49730	18.166.250.135	192.168.2.4
Oct 13, 2024 14:27:00.325314045 CEST	49730	443	192.168.2.4	18.166.250.135
Oct 13, 2024 14:27:00.337549925 CEST	49730	443	192.168.2.4	18.166.250.135
Oct 13, 2024 14:27:00.337562084 CEST	443	49730	18.166.250.135	192.168.2.4
Oct 13, 2024 14:27:01.346148014 CEST	443	49730	18.166.250.135	192.168.2.4
Oct 13, 2024 14:27:01.346512079 CEST	49730	443	192.168.2.4	18.166.250.135
Oct 13, 2024 14:27:01.357608080 CEST	49730	443	192.168.2.4	18.166.250.135
Oct 13, 2024 14:27:01.357634068 CEST	443	49730	18.166.250.135	192.168.2.4
Oct 13, 2024 14:27:01.358026028 CEST	443	49730	18.166.250.135	192.168.2.4
Oct 13, 2024 14:27:01.408620119 CEST	49730	443	192.168.2.4	18.166.250.135
Oct 13, 2024 14:27:01.428266048 CEST	49730	443	192.168.2.4	18.166.250.135
Oct 13, 2024 14:27:01.471436977 CEST	443	49730	18.166.250.135	192.168.2.4
Oct 13, 2024 14:27:01.870663881 CEST	443	49730	18.166.250.135	192.168.2.4
Oct 13, 2024 14:27:01.870834112 CEST	443	49730	18.166.250.135	192.168.2.4
Oct 13, 2024 14:27:01.871061087 CEST	49730	443	192.168.2.4	18.166.250.135
Oct 13, 2024 14:27:01.977665901 CEST	49730	443	192.168.2.4	18.166.250.135

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 14:27:00.294003963 CEST	50652	53	192.168.2.4	1.1.1.1
Oct 13, 2024 14:27:00.320527077 CEST	53	50652	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 14:27:00.294003963 CEST	192.168.2.4	1.1.1.1	0x8e55	Standard query (0)	gitea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 14:27:00.320527077 CEST	1.1.1.1	192.168.2.4	0x8e55	No error (0)	gitea.com		18.166.250.135	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gitea.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	18.166.250.135	443	6884	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 12:27:01 UTC	104	OUT	GET /quiving/Solara/raw/branch/main/Files/endpoint HTTP/1.1 Host: gitea.com Connection: Keep-Alive
2024-10-13 12:27:01 UTC	497	IN	HTTP/1.1 404 Not Found Date: Sun, 13 Oct 2024 12:27:01 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 11 Connection: close Cache-Control: max-age=0, private, must-revalidate, no-transform Server: Caddy Set-Cookie: i_like_gitea=775661cd8dc0adc0; Path=/; HttpOnly; Secure; SameSite=Lax Set-Cookie: _csrf=6ppViQ1aeWleoIZL9QKPor9alOY6MTcyODgyMjQyMTcxMzI0NzM3MA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN
2024-10-13 12:27:01 UTC	11	IN	Data Raw: 4e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: Not found.

Target ID:	0
Start time:	08:26:59
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe"
Imagebase:	0x5c0000
File size:	816'128 bytes
MD5 hash:	2452E269EE2A615E90C5E19A373B0239
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	08:26:59
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00DA11C8 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2942766306.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48246f26bfb1a7b0ba0bd585c1b4dfde40c170163e713f7cb3caf5211c8d1dd2
Instruction ID: f1748ea613f2fce8ea751280a6926a31abc73182257380334215d8001f260a49
Opcode Fuzzy Hash: 48246f26bfb1a7b0ba0bd585c1b4dfde40c170163e713f7cb3caf5211c8d1dd2
Instruction Fuzzy Hash: 9861BD34A04616DFCB24DF68C485BADBBF2BF4A300F248569D449E7281DB74E985CFA4

Function 00DA11C0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2942766306.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2439713d4c2d836c2772aff9bd90226f42dc650c1707b440a984798a4331ff
Instruction ID: 241474160ca8c8b9d7dbee9a5cd4c94708538ffc3c898ae0bbb69167e3914bbb
Opcode Fuzzy Hash: dd2439713d4c2d836c2772aff9bd90226f42dc650c1707b440a984798a4331ff
Instruction Fuzzy Hash: FB31AD38A0462ADBDB24CFA9C4447ADFBF2BF49340F24852AD455E7281CB74D945CFA4

Function 00DA1362 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2942766306.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ba7b24d7127fe6ae78410564f2d381fe12ca652c9547bfcc9ee2e93d407f58
Instruction ID: c6a5f5774601f4973fd0577ed78571c1bc86dd612a6eca135f25ce8df5b1e305
Opcode Fuzzy Hash: b3ba7b24d7127fe6ae78410564f2d381fe12ca652c9547bfcc9ee2e93d407f58
Instruction Fuzzy Hash: 88211D34A042158FCB64EB38C455B6D7BB2AF49704F2084AAD04EEB351DF759D86CFA1

Function 00DA13C8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2942766306.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33cb660dd519cd821b5d9c6039612def594e65acdf4715ae5e62ba04e27c363
Instruction ID: 042611d90a48ae3eb611739721d433c6f3c6f2227d5e7c7f828baaa00e48e00a
Opcode Fuzzy Hash: f33cb660dd519cd821b5d9c6039612def594e65acdf4715ae5e62ba04e27c363
Instruction Fuzzy Hash: B421F574A002188FCB54EFB8C455B6C7BB1AF49300F2044AAE00EEB3A5DF749E858F61

Function 00DA14BE Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2942766306.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e57a3ac0f93c1df9e5e74f6dbb6cf456551a7577a2ec5cf21f30a755d7e2b4f
Instruction ID: 1f6db86e17066178794f5779f965a17b478f7c1101cce096f416fa5af91fcada
Opcode Fuzzy Hash: 3e57a3ac0f93c1df9e5e74f6dbb6cf456551a7577a2ec5cf21f30a755d7e2b4f
Instruction Fuzzy Hash: 1D118F38A00218CFCB24EF24C945B6D7BB2AF89710F144196D449EB391CB748D85CFA2

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
SecuriteInfo.com.Variant.Cerbu.210262.1524.886.exe