Windows Analysis Report
yqEiP70L9q.exe

Overview

General Information

Sample name: yqEiP70L9q.exe
renamed because original name is a hash value
Original sample name: 30871d0e0185fcffd2d9452ffdd456f6.exe
Analysis ID: 1540485
MD5: 30871d0e0185fcffd2d9452ffdd456f6
SHA1: 9748cce9eabeacc79b7981066f3a1de20017c49b
SHA256: 579b87f1aee0d4dcddb5d3cc69ab2eb61af07a9f41da8a1a5c12453c219f85ba
Tags: 64exetrojan
Infos:

Detection

Sliver
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Sliver Implants
AI detected suspicious sample
Machine Learning detection for sample
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Sliver According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

AV Detection

barindex
Source: yqEiP70L9q.exe ReversingLabs: Detection: 36%
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.3% probability
Source: yqEiP70L9q.exe Joe Sandbox ML: detected
Source: yqEiP70L9q.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: unknown UDP traffic detected without corresponding DNS query: 143.198.137.110
Source: yqEiP70L9q.exe, 00000000.00000002.3350067606.000000C0001CA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: RegisterRawInputDevices memstr_bc47efe3-3

System Summary

barindex
Source: yqEiP70L9q.exe, type: SAMPLE Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: yqEiP70L9q.exe, type: SAMPLE Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 00000000.00000002.3348938024.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 00000000.00000000.2109123957.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: yqEiP70L9q.exe, type: SAMPLE Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: yqEiP70L9q.exe, type: SAMPLE Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 00000000.00000002.3348938024.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 00000000.00000000.2109123957.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: classification engine Classification label: mal72.troj.winEXE@1/1@0/1
Source: C:\Users\user\Desktop\yqEiP70L9q.exe File opened: C:\Windows\system32\d4c06f9686422c132abe42b3ebe5adda3f92bcd7f9fe3787287ce9d98e1f53deAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: yqEiP70L9q.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: yqEiP70L9q.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\yqEiP70L9q.exe File read: C:\Users\user\Desktop\yqEiP70L9q.exe Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Section loaded: samlib.dll Jump to behavior
Source: yqEiP70L9q.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: yqEiP70L9q.exe Static file information: File size 19317248 > 1048576
Source: yqEiP70L9q.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xada600
Source: yqEiP70L9q.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x71d800
Source: yqEiP70L9q.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: yqEiP70L9q.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: yqEiP70L9q.exe Binary or memory string: *dZDg8GOlWha.RqemuDU6
Source: yqEiP70L9q.exe Binary or memory string: "*func(dZDg8GOlWha.RqemuDU6, int32)
Source: yqEiP70L9q.exe Binary or memory string: "*XQW6SOEMa.RportFwdStopListenerReq"*Y80d3IDiHfq.multiCounterIGMPStats"*[8]*MiA8NVDKeh.packetEndpointList"*[8]*MiA8NVDKeh.transportEndpoints"*[8]MiA8NVDKeh.TransportEndpointID"*[]HwWE4DL3SzH.multicastMembership"*[]MiA8NVDKeh.RawTransportEndpoint"*eT8t9i6qa.globalRequestFailureMsg"*eT8t9i6qa.globalRequestSuccessMsg"*func() (*LuLvUz6.A2_7ZWQg, error)"*func() (*xbofRUK.A5QXv9ht, error)"*func() (Lx24CX.ETypeInfo2, error)"*func() (int, kLj9yJ.BK3pmQ1, int)"*func() *XQW6SOEMa.PeerFailureType"*func() []*MiA8NVDKeh.PacketBuffer"*func() []*XQW6SOEMa.PivotListener"*func() []*XQW6SOEMa.WGSocksServer"*func() chan WRtn1ApPRs8.Z9vzm0qEY"*func(*dz_FcOJJP0i.LBUaAyUfuY) int"*func(*interface {}) *interface {}"*func(*v5xoCvbpNxIf.PklUPqhn) bool"*func(CI_J6CFTLJ.Hth7_DC3Sp3) bool"*func(CI_J6CFTLJ.HzD6zzL0gNo) bool"*func(CI_J6CFTLJ.SeCWup2SHR_) bool"*func(CI_J6CFTLJ.Xeh8d_ynYJ) error"*func(J_A82jwUL.qN9sS_wFFs) string"*func(KtubafaKzHq.jUkqZyneKr) bool"*func(MiA8NVDKeh.WpeX0Q3r_3C) bool"*func(TAvZdvPig9D.gSUmyK4YFN) bool"*func([]interface {}, bool, error)"*func([]uint8, int64) (int, error)"*func(dZDg8GOlWha.RqemuDU6, int32)"*func(int) CI_J6CFTLJ.GmtyLs5TbdKS"*func(int) CI_J6CFTLJ.HjUVHri_Fa5h"*func(int) CI_J6CFTLJ.OjTTuf6tBb9S"*func(int) CI_J6CFTLJ.Q0eQVQk87mEb"*func(int) MiA8NVDKeh.F0TYSKd2oxgY"*func(int, int, int) reflect.Value"*func(int, uintptr) unsafe.Pointer"*func(kLj9yJ.Z2cVa5tmI5, int) bool"*func(lCcwlOsEd5.HJ1vjcHM2Q) error"*func(nJ_2GX.SQX3zy) nJ_2GX.SQX3zy"*func(reflect.Value) reflect.Value"*func(string, string, string) bool"*func(uSu4g0ECu2IG.Z4v06nGiI) bool"*func(uintptr) J_A82jwUL.eS1kUdGyt"*func(wvcYPfgeP.GgczmVpryDGh) bool"*interface { IsMessageSet() bool }"*map.bucket[CI_J6CFTLJ.Ncis1QN]int"*map.bucket[eT8t9i6qa.NExJ5Wz_]int"*map.bucket[g4AdiO.JeKDqicz]string"*map.bucket[g4AdiO.v5XCEAwR]string"*map.bucket[int]*rCYAq7.ELx5VOxfhI"*map.bucket[int]*rCYAq7.H3UVn7jYcG"*map.bucket[int]*uMojai.D9I4GEKyPy"*map.bucket[qomvJW6Y9f.yhT0oW3]int"*map.bucket[string][]uMojai.rwW3zn"*map.bucket[zRzbzF.CbG0Z5v6]string"*map[*dhZuZLdTBsRn.CBoQLGNyPx1]int"*map[TAvZdvPig9D.flVctHkCmJ]string"*map[TAvZdvPig9D.gSUmyK4YFN]string"*map[string]CI_J6CFTLJ.SeCWup2SHR_"*map[string]uSu4g0ECu2IG.JH2wY6v_k"*map[unsafe.Pointer]unsafe.Pointer
Source: yqEiP70L9q.exe, 00000000.00000002.3355169774.0000023D901DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\yqEiP70L9q.exe Queries volume information: C:\Users\user\Desktop\yqEiP70L9q.exe VolumeInformation Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000000.00000002.3350067606.000000C00014A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000000.00000002.3350067606.000000C00014A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs