Edit tour
Windows
Analysis Report
antispam_connect1.exe
Overview
General Information
Detection
GO Backdoor
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected unpacking (creates a PE file in dynamic memory)
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found Tor onion address
Machine Learning detection for sample
Suspicious powershell command line found
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- antispam_connect1.exe (PID: 5024 cmdline:
"C:\Users\ user\Deskt op\antispa m_connect1 .exe" MD5: 970C918FDDE70FD4E57C0DB74CB54BE0) - powershell.exe (PID: 5420 cmdline:
powershell -WindowSt yle hidden -Command "if (-Not (Test-Path \"HKCU:\\ Software\\ Microsoft\ \Windows\\ CurrentVer sion\\Run\ \App\")) { Set-ItemP roperty -P ath \"HKCU :\\Softwar e\\Microso ft\\Window s\\Current Version\\R un\" -Name \"App\" - Value \"C: \Users\use r\Desktop\ antispam_c onnect1.ex e\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- antispam_connect1.exe (PID: 1600 cmdline:
"C:\Users\ user\Deskt op\antispa m_connect1 .exe" MD5: 970C918FDDE70FD4E57C0DB74CB54BE0) - powershell.exe (PID: 5364 cmdline:
powershell -WindowSt yle hidden -Command "if (-Not (Test-Path \"HKCU:\\ Software\\ Microsoft\ \Windows\\ CurrentVer sion\\Run\ \App\")) { Set-ItemP roperty -P ath \"HKCU :\\Softwar e\\Microso ft\\Window s\\Current Version\\R un\" -Name \"App\" - Value \"C: \Users\use r\Desktop\ antispam_c onnect1.ex e\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 5964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- antispam_connect1.exe (PID: 1900 cmdline:
"C:\Users\ user\Deskt op\antispa m_connect1 .exe" MD5: 970C918FDDE70FD4E57C0DB74CB54BE0) - powershell.exe (PID: 6552 cmdline:
powershell -WindowSt yle hidden -Command "if (-Not (Test-Path \"HKCU:\\ Software\\ Microsoft\ \Windows\\ CurrentVer sion\\Run\ \App\")) { Set-ItemP roperty -P ath \"HKCU :\\Softwar e\\Microso ft\\Window s\\Current Version\\R un\" -Name \"App\" - Value \"C: \Users\use r\Desktop\ antispam_c onnect1.ex e\" }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6388 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security | ||
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security | ||
JoeSecurity_GOBackdoor | Yara detected GO Backdoor | Joe Security |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-14T17:22:22.101463+0200 | 2855536 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 109.172.88.38 | 12658 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-14T17:22:51.459438+0200 | 2855537 | 1 | A Network Trojan was detected | 192.168.2.5 | 49705 | 109.172.88.38 | 12658 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-14T17:22:51.683092+0200 | 2855538 | 1 | A Network Trojan was detected | 109.172.88.38 | 12658 | 192.168.2.5 | 49705 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-14T17:22:22.101286+0200 | 2855539 | 1 | A Network Trojan was detected | 109.172.88.38 | 12658 | 192.168.2.5 | 49705 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Compliance |
---|
Source: | Unpacked PE file: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | TCP traffic: |
Source: | String found in binary or memory: |