Windows
Analysis Report
eJeQNTcb4A.exe
Overview
General Information
Sample name: | eJeQNTcb4A.exerenamed because original name is a hash value |
Original sample name: | ef734216083e11283bcf66e631014748.exe |
Analysis ID: | 1538173 |
MD5: | ef734216083e11283bcf66e631014748 |
SHA1: | 31df8208dc92d0f31e4e56300f0fb673e5a55fa5 |
SHA256: | f83382863ccd22a340325055ad63a04e7a9aab147dd8526a508a6f1cbc646b2b |
Tags: | 32exetrojan |
Infos: | |
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- eJeQNTcb4A.exe (PID: 3556 cmdline:
"C:\Users\ user\Deskt op\eJeQNTc b4A.exe" MD5: EF734216083E11283BCF66E631014748) - cmd.exe (PID: 6540 cmdline:
cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6692 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
{"Type": "Shell Reverse Tcp", "IP": "188.166.177.132", "Port": 443}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_a6e956c9 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_MetasploitPayload | Yara detected Metasploit Payload | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00404A4B | |
Source: | Code function: | 0_2_00404CD8 | |
Source: | Code function: | 0_2_00408680 | |
Source: | Code function: | 0_2_00404553 | |
Source: | Code function: | 0_2_00405F19 | |
Source: | Code function: | 0_2_004045E8 | |
Source: | Code function: | 0_2_00408780 |
Source: | ASN Name: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | 0_2_00406811 | |
Source: | Code function: | 0_2_00407496 | |
Source: | Code function: | 0_2_004018D0 | |
Source: | Code function: | 0_2_0040B637 | |
Source: | Code function: | 0_2_00401326 | |
Source: | Code function: | 0_2_0040B637 |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: | Jump to behavior |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 2 Software Packing | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 11 Process Injection | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
84% | ReversingLabs | Win32.Backdoor.Swrort | ||
100% | Avira | TR/Patched.Gen2 | ||
100% | Joe Sandbox ML |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
188.166.177.132 | unknown | Netherlands | 14061 | DIGITALOCEAN-ASNUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1538173 |
Start date and time: | 2024-10-20 18:02:05 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 1m 46s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | eJeQNTcb4A.exerenamed because original name is a hash value |
Original Sample Name: | ef734216083e11283bcf66e631014748.exe |
Detection: | MAL |
Classification: | mal96.troj.winEXE@4/0@0/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: eJeQNTcb4A.exe
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
188.166.177.132 | Get hash | malicious | Metasploit | Browse | ||
Get hash | malicious | Metasploit | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
DIGITALOCEAN-ASNUS | Get hash | malicious | Metasploit | Browse |
| |
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Mirai, Okiru | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
File type: | |
Entropy (8bit): | 6.331020288570554 |
TrID: |
|
File name: | eJeQNTcb4A.exe |
File size: | 73'802 bytes |
MD5: | ef734216083e11283bcf66e631014748 |
SHA1: | 31df8208dc92d0f31e4e56300f0fb673e5a55fa5 |
SHA256: | f83382863ccd22a340325055ad63a04e7a9aab147dd8526a508a6f1cbc646b2b |
SHA512: | 721be3cab4bfecce520a142af4412b9b521ad7154030d78dbf095f2136292cd623d3f3b213bd78444885def23a42c5a4cbe69e255daf3bdd5230817f6f70384c |
SSDEEP: | 1536:IVtPru4zwgGajp8pWwCOEYp3rcYBMb+KR0Nc8QsJq39:OtSMwgGajnnvYBe0Nc8QsC9 |
TLSH: | 0A73AE42E9C41436C1E2117E2B723A799A71F1BA2612C29E394CCDE5DBD18F0673A3C3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L....teJ........... |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x4092fc |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x4A65749C [Tue Jul 21 07:56:12 2009 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 481f47bbb2c9c21e108d65f52b04c448 |
Instruction |
---|
dec ecx |
xchg eax, ecx |
salc |
aaa |
cwde |
dec ebx |
das |
lahf |
das |
nop |
dec ecx |
dec ecx |
salc |
dec edx |
das |
xchg eax, ecx |
dec edx |
stc |
aaa |
daa |
nop |
xchg eax, edx |
cld |
inc edx |
cdq |
dec ebx |
inc ecx |
cdq |
xchg eax, ecx |
wait |
lahf |
daa |
cmc |
wait |
dec edx |
cdq |
dec edx |
salc |
xchg eax, edx |
dec edx |
cwde |
salc |
xchg eax, edx |
std |
xchg eax, ecx |
clc |
dec edx |
aas |
wait |
dec ebx |
lahf |
xchg eax, ecx |
inc eax |
daa |
dec ebx |
xchg eax, edx |
inc ecx |
inc ecx |
daa |
clc |
inc ebx |
xchg eax, ebx |
dec edx |
salc |
dec eax |
clc |
inc edx |
dec eax |
cld |
inc eax |
inc edx |
xchg eax, ebx |
xchg eax, edx |
std |
das |
cwde |
cmc |
inc eax |
lahf |
cwde |
dec edx |
std |
inc eax |
dec eax |
cwde |
wait |
clc |
inc ecx |
aaa |
cwde |
dec eax |
inc ebx |
cmc |
clc |
dec eax |
cmc |
cwde |
cld |
stc |
dec eax |
jmp 00007FF5F84AF91Dh |
mov al, 7Ch |
add byte ptr [ebp-58h], cl |
div dword ptr [edx+ebx*2+3Dh] |
add byte ptr [eax], al |
add cl, bl |
jne 00007FF5F84AEA89h |
push FFFFFFCCh |
jmp far fword ptr [eax+ecx-7CFFBF3Fh] |
les eax, fword ptr [edx+ebp*2] |
imul ebp, dword ptr [edx-0Ch], 59h |
adc eax, 0040C0A4h |
cmp al, byte ptr [esi+55h] |
jne 00007FF5F84AEA72h |
dec esp |
add al, 75h |
pop ss |
push 00000001h |
call dword ptr [0040C108h] |
add esp, 04h |
push FFFFFFFFh |
push FFFFFFAEh |
call dword ptr [004079A4h] |
jmp 00007FF5F84AEA9Ah |
cmp eax, 02000000h |
jmp 00007FF5F7CC5496h |
adc eax, AA247708h |
add esp, 04h |
push FFFFFFFFh |
idiv bh |
adc eax, 004042A4h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc76c | 0x78 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x15000 | 0x7c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0xc1e0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xa966 | 0xb000 | 25a5df28e40b9bb8f8448c306f577b6d | False | 0.8182262073863636 | DOS executable (COM, 0x8C-variant) | 7.030657884174903 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xc000 | 0xfe6 | 0x1000 | 25d7ceee3aa85bb3e8c5174736f6f830 | False | 0.46142578125 | DOS executable (COM, 0x8C-variant) | 5.318390353744998 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xd000 | 0x705c | 0x4000 | 283b5f792323d57b9db4d2bcc46580f8 | False | 0.25634765625 | Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0 | 4.407841023203495 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x15000 | 0x7c8 | 0x1000 | c13a9413aea7291b6fc85d75bfcde381 | False | 0.197998046875 | data | 1.958296025171192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0x15060 | 0x768 | data | English | United States | 0.40189873417721517 |
DLL | Import |
---|---|
MSVCRT.dll | _iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp |
KERNEL32.dll | PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree |
ADVAPI32.dll | FreeSid, AllocateAndInitializeSid |
WSOCK32.dll | getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError |
WS2_32.dll | WSARecv, WSASend |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 20, 2024 18:02:53.572454929 CEST | 49704 | 443 | 192.168.2.5 | 188.166.177.132 |
Oct 20, 2024 18:02:53.572504997 CEST | 443 | 49704 | 188.166.177.132 | 192.168.2.5 |
Oct 20, 2024 18:02:53.572577953 CEST | 49704 | 443 | 192.168.2.5 | 188.166.177.132 |
Oct 20, 2024 18:02:53.686876059 CEST | 49704 | 443 | 192.168.2.5 | 188.166.177.132 |
Oct 20, 2024 18:02:53.686945915 CEST | 443 | 49704 | 188.166.177.132 | 192.168.2.5 |
Oct 20, 2024 18:02:53.687012911 CEST | 443 | 49704 | 188.166.177.132 | 192.168.2.5 |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 12:02:53 |
Start date: | 20/10/2024 |
Path: | C:\Users\user\Desktop\eJeQNTcb4A.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 73'802 bytes |
MD5 hash: | EF734216083E11283BCF66E631014748 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 12:02:53 |
Start date: | 20/10/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x790000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:02:53 |
Start date: | 20/10/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 1.9% |
Dynamic/Decrypted Code Coverage: | 12.5% |
Signature Coverage: | 9.4% |
Total number of Nodes: | 64 |
Total number of Limit Nodes: | 2 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 0040A49C Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 004045E8 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404553 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408680 Relevance: .1, Instructions: 111COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404CD8 Relevance: .1, Instructions: 95COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00404A4B Relevance: .1, Instructions: 63COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00408780 Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 00405F19 Relevance: .0, Instructions: 21COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|