Source: yqEiP70L9q.exe |
ReversingLabs: Detection: 36% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 94.3% probability |
Source: yqEiP70L9q.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 143.198.137.110 |
Source: yqEiP70L9q.exe, 00000000.00000002.3350067606.000000C0001CA000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: RegisterRawInputDevices |
memstr_bc47efe3-3 |
Source: yqEiP70L9q.exe, type: SAMPLE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: yqEiP70L9q.exe, type: SAMPLE |
Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen |
Source: 00000000.00000002.3348938024.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: 00000000.00000000.2109123957.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: yqEiP70L9q.exe, type: SAMPLE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: yqEiP70L9q.exe, type: SAMPLE |
Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team |
Source: 00000000.00000002.3348938024.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: 00000000.00000000.2109123957.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: classification engine |
Classification label: mal72.troj.winEXE@1/1@0/1 |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
File opened: C:\Windows\system32\d4c06f9686422c132abe42b3ebe5adda3f92bcd7f9fe3787287ce9d98e1f53deAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: yqEiP70L9q.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: yqEiP70L9q.exe |
ReversingLabs: Detection: 36% |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
File read: C:\Users\user\Desktop\yqEiP70L9q.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Section loaded: samlib.dll |
Jump to behavior |
Source: yqEiP70L9q.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: yqEiP70L9q.exe |
Static file information: File size 19317248 > 1048576 |
Source: yqEiP70L9q.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0xada600 |
Source: yqEiP70L9q.exe |
Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x71d800 |
Source: yqEiP70L9q.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: yqEiP70L9q.exe |
Static PE information: section name: .symtab |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: yqEiP70L9q.exe |
Binary or memory string: *dZDg8GOlWha.RqemuDU6 |
Source: yqEiP70L9q.exe |
Binary or memory string: "*func(dZDg8GOlWha.RqemuDU6, int32) |
Source: yqEiP70L9q.exe |
Binary or memory string: "*XQW6SOEMa.RportFwdStopListenerReq"*Y80d3IDiHfq.multiCounterIGMPStats"*[8]*MiA8NVDKeh.packetEndpointList"*[8]*MiA8NVDKeh.transportEndpoints"*[8]MiA8NVDKeh.TransportEndpointID"*[]HwWE4DL3SzH.multicastMembership"*[]MiA8NVDKeh.RawTransportEndpoint"*eT8t9i6qa.globalRequestFailureMsg"*eT8t9i6qa.globalRequestSuccessMsg"*func() (*LuLvUz6.A2_7ZWQg, error)"*func() (*xbofRUK.A5QXv9ht, error)"*func() (Lx24CX.ETypeInfo2, error)"*func() (int, kLj9yJ.BK3pmQ1, int)"*func() *XQW6SOEMa.PeerFailureType"*func() []*MiA8NVDKeh.PacketBuffer"*func() []*XQW6SOEMa.PivotListener"*func() []*XQW6SOEMa.WGSocksServer"*func() chan WRtn1ApPRs8.Z9vzm0qEY"*func(*dz_FcOJJP0i.LBUaAyUfuY) int"*func(*interface {}) *interface {}"*func(*v5xoCvbpNxIf.PklUPqhn) bool"*func(CI_J6CFTLJ.Hth7_DC3Sp3) bool"*func(CI_J6CFTLJ.HzD6zzL0gNo) bool"*func(CI_J6CFTLJ.SeCWup2SHR_) bool"*func(CI_J6CFTLJ.Xeh8d_ynYJ) error"*func(J_A82jwUL.qN9sS_wFFs) string"*func(KtubafaKzHq.jUkqZyneKr) bool"*func(MiA8NVDKeh.WpeX0Q3r_3C) bool"*func(TAvZdvPig9D.gSUmyK4YFN) bool"*func([]interface {}, bool, error)"*func([]uint8, int64) (int, error)"*func(dZDg8GOlWha.RqemuDU6, int32)"*func(int) CI_J6CFTLJ.GmtyLs5TbdKS"*func(int) CI_J6CFTLJ.HjUVHri_Fa5h"*func(int) CI_J6CFTLJ.OjTTuf6tBb9S"*func(int) CI_J6CFTLJ.Q0eQVQk87mEb"*func(int) MiA8NVDKeh.F0TYSKd2oxgY"*func(int, int, int) reflect.Value"*func(int, uintptr) unsafe.Pointer"*func(kLj9yJ.Z2cVa5tmI5, int) bool"*func(lCcwlOsEd5.HJ1vjcHM2Q) error"*func(nJ_2GX.SQX3zy) nJ_2GX.SQX3zy"*func(reflect.Value) reflect.Value"*func(string, string, string) bool"*func(uSu4g0ECu2IG.Z4v06nGiI) bool"*func(uintptr) J_A82jwUL.eS1kUdGyt"*func(wvcYPfgeP.GgczmVpryDGh) bool"*interface { IsMessageSet() bool }"*map.bucket[CI_J6CFTLJ.Ncis1QN]int"*map.bucket[eT8t9i6qa.NExJ5Wz_]int"*map.bucket[g4AdiO.JeKDqicz]string"*map.bucket[g4AdiO.v5XCEAwR]string"*map.bucket[int]*rCYAq7.ELx5VOxfhI"*map.bucket[int]*rCYAq7.H3UVn7jYcG"*map.bucket[int]*uMojai.D9I4GEKyPy"*map.bucket[qomvJW6Y9f.yhT0oW3]int"*map.bucket[string][]uMojai.rwW3zn"*map.bucket[zRzbzF.CbG0Z5v6]string"*map[*dhZuZLdTBsRn.CBoQLGNyPx1]int"*map[TAvZdvPig9D.flVctHkCmJ]string"*map[TAvZdvPig9D.gSUmyK4YFN]string"*map[string]CI_J6CFTLJ.SeCWup2SHR_"*map[string]uSu4g0ECu2IG.JH2wY6v_k"*map[unsafe.Pointer]unsafe.Pointer |
Source: yqEiP70L9q.exe, 00000000.00000002.3355169774.0000023D901DC000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\yqEiP70L9q.exe |
Queries volume information: C:\Users\user\Desktop\yqEiP70L9q.exe VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.3350067606.000000C00014A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR |
Source: Yara match |
File source: 00000000.00000002.3350067606.000000C00014A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR |