Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yqEiP70L9q.exe

Overview

General Information

Sample name:yqEiP70L9q.exe
renamed because original name is a hash value
Original sample name:30871d0e0185fcffd2d9452ffdd456f6.exe
Analysis ID:1540485
MD5:30871d0e0185fcffd2d9452ffdd456f6
SHA1:9748cce9eabeacc79b7981066f3a1de20017c49b
SHA256:579b87f1aee0d4dcddb5d3cc69ab2eb61af07a9f41da8a1a5c12453c219f85ba
Tags:64exetrojan
Infos:

Detection

Sliver
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Sliver Implants
AI detected suspicious sample
Machine Learning detection for sample
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Yara signature match

Classification

  • System is w10x64
  • yqEiP70L9q.exe (PID: 6392 cmdline: "C:\Users\user\Desktop\yqEiP70L9q.exe" MD5: 30871D0E0185FCFFD2D9452FFDD456F6)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SliverAccording to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
No configs have been found
SourceRuleDescriptionAuthorStrings
yqEiP70L9q.exeMulti_Trojan_Bishopsliver_42298c4aunknownunknown
  • 0xe5dc95:$a1: ).RequestResend
  • 0xe3a992:$a2: ).GetPrivInfo
yqEiP70L9q.exeINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
  • 0xb07115:$s3: .WGTCPForwarder
  • 0xb086ef:$s3: .WGTCPForwarder
  • 0xb0b189:$s3: .WGTCPForwarder
  • 0xb0c1e0:$s3: .WGTCPForwarder
  • 0xb0facb:$s3: .WGTCPForwarder
  • 0xb110d2:$s3: .WGTCPForwarder
  • 0xb018cb:$s6: .BackdoorReq
  • 0xb07073:$s7: .ProcessDumpReq
  • 0xb0af88:$s8: .InvokeSpawnDllReq
  • 0xafafc6:$s9: .SpawnDll
  • 0xb01a03:$s9: .SpawnDll
SourceRuleDescriptionAuthorStrings
00000000.00000002.3350067606.000000C00014A000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
    00000000.00000002.3348938024.0000000001D4F000.00000002.00000001.01000000.00000003.sdmpMulti_Trojan_Bishopsliver_42298c4aunknownunknown
    • 0xa0095:$a1: ).RequestResend
    • 0x7cd92:$a2: ).GetPrivInfo
    00000000.00000000.2109123957.0000000001D4F000.00000002.00000001.01000000.00000003.sdmpMulti_Trojan_Bishopsliver_42298c4aunknownunknown
    • 0xa0095:$a1: ).RequestResend
    • 0x7cd92:$a2: ).GetPrivInfo
    Process Memory Space: yqEiP70L9q.exe PID: 6392JoeSecurity_SliverYara detected Sliver ImplantsJoe Security
      Process Memory Space: yqEiP70L9q.exe PID: 6392Multi_Trojan_Bishopsliver_42298c4aunknownunknown
      • 0x100296:$a1: ).RequestResend
      • 0x1540be:$a1: ).RequestResend
      • 0xdcf93:$a2: ).GetPrivInfo
      • 0x131de5:$a2: ).GetPrivInfo
      No Sigma rule has matched
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: yqEiP70L9q.exeReversingLabs: Detection: 36%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.3% probability
      Source: yqEiP70L9q.exeJoe Sandbox ML: detected
      Source: yqEiP70L9q.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: unknownUDP traffic detected without corresponding DNS query: 143.198.137.110
      Source: yqEiP70L9q.exe, 00000000.00000002.3350067606.000000C0001CA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_bc47efe3-3

      System Summary

      barindex
      Source: yqEiP70L9q.exe, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
      Source: yqEiP70L9q.exe, type: SAMPLEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
      Source: 00000000.00000002.3348938024.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
      Source: 00000000.00000000.2109123957.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
      Source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
      Source: yqEiP70L9q.exe, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
      Source: yqEiP70L9q.exe, type: SAMPLEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
      Source: 00000000.00000002.3348938024.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
      Source: 00000000.00000000.2109123957.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
      Source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
      Source: classification engineClassification label: mal72.troj.winEXE@1/1@0/1
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeFile opened: C:\Windows\system32\d4c06f9686422c132abe42b3ebe5adda3f92bcd7f9fe3787287ce9d98e1f53deAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
      Source: yqEiP70L9q.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: yqEiP70L9q.exeReversingLabs: Detection: 36%
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeFile read: C:\Users\user\Desktop\yqEiP70L9q.exeJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeSection loaded: samlib.dllJump to behavior
      Source: yqEiP70L9q.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: yqEiP70L9q.exeStatic file information: File size 19317248 > 1048576
      Source: yqEiP70L9q.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xada600
      Source: yqEiP70L9q.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x71d800
      Source: yqEiP70L9q.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: yqEiP70L9q.exeStatic PE information: section name: .symtab
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: yqEiP70L9q.exeBinary or memory string: *dZDg8GOlWha.RqemuDU6
      Source: yqEiP70L9q.exeBinary or memory string: "*func(dZDg8GOlWha.RqemuDU6, int32)
      Source: yqEiP70L9q.exeBinary or memory string: "*XQW6SOEMa.RportFwdStopListenerReq"*Y80d3IDiHfq.multiCounterIGMPStats"*[8]*MiA8NVDKeh.packetEndpointList"*[8]*MiA8NVDKeh.transportEndpoints"*[8]MiA8NVDKeh.TransportEndpointID"*[]HwWE4DL3SzH.multicastMembership"*[]MiA8NVDKeh.RawTransportEndpoint"*eT8t9i6qa.globalRequestFailureMsg"*eT8t9i6qa.globalRequestSuccessMsg"*func() (*LuLvUz6.A2_7ZWQg, error)"*func() (*xbofRUK.A5QXv9ht, error)"*func() (Lx24CX.ETypeInfo2, error)"*func() (int, kLj9yJ.BK3pmQ1, int)"*func() *XQW6SOEMa.PeerFailureType"*func() []*MiA8NVDKeh.PacketBuffer"*func() []*XQW6SOEMa.PivotListener"*func() []*XQW6SOEMa.WGSocksServer"*func() chan WRtn1ApPRs8.Z9vzm0qEY"*func(*dz_FcOJJP0i.LBUaAyUfuY) int"*func(*interface {}) *interface {}"*func(*v5xoCvbpNxIf.PklUPqhn) bool"*func(CI_J6CFTLJ.Hth7_DC3Sp3) bool"*func(CI_J6CFTLJ.HzD6zzL0gNo) bool"*func(CI_J6CFTLJ.SeCWup2SHR_) bool"*func(CI_J6CFTLJ.Xeh8d_ynYJ) error"*func(J_A82jwUL.qN9sS_wFFs) string"*func(KtubafaKzHq.jUkqZyneKr) bool"*func(MiA8NVDKeh.WpeX0Q3r_3C) bool"*func(TAvZdvPig9D.gSUmyK4YFN) bool"*func([]interface {}, bool, error)"*func([]uint8, int64) (int, error)"*func(dZDg8GOlWha.RqemuDU6, int32)"*func(int) CI_J6CFTLJ.GmtyLs5TbdKS"*func(int) CI_J6CFTLJ.HjUVHri_Fa5h"*func(int) CI_J6CFTLJ.OjTTuf6tBb9S"*func(int) CI_J6CFTLJ.Q0eQVQk87mEb"*func(int) MiA8NVDKeh.F0TYSKd2oxgY"*func(int, int, int) reflect.Value"*func(int, uintptr) unsafe.Pointer"*func(kLj9yJ.Z2cVa5tmI5, int) bool"*func(lCcwlOsEd5.HJ1vjcHM2Q) error"*func(nJ_2GX.SQX3zy) nJ_2GX.SQX3zy"*func(reflect.Value) reflect.Value"*func(string, string, string) bool"*func(uSu4g0ECu2IG.Z4v06nGiI) bool"*func(uintptr) J_A82jwUL.eS1kUdGyt"*func(wvcYPfgeP.GgczmVpryDGh) bool"*interface { IsMessageSet() bool }"*map.bucket[CI_J6CFTLJ.Ncis1QN]int"*map.bucket[eT8t9i6qa.NExJ5Wz_]int"*map.bucket[g4AdiO.JeKDqicz]string"*map.bucket[g4AdiO.v5XCEAwR]string"*map.bucket[int]*rCYAq7.ELx5VOxfhI"*map.bucket[int]*rCYAq7.H3UVn7jYcG"*map.bucket[int]*uMojai.D9I4GEKyPy"*map.bucket[qomvJW6Y9f.yhT0oW3]int"*map.bucket[string][]uMojai.rwW3zn"*map.bucket[zRzbzF.CbG0Z5v6]string"*map[*dhZuZLdTBsRn.CBoQLGNyPx1]int"*map[TAvZdvPig9D.flVctHkCmJ]string"*map[TAvZdvPig9D.gSUmyK4YFN]string"*map[string]CI_J6CFTLJ.SeCWup2SHR_"*map[string]uSu4g0ECu2IG.JH2wY6v_k"*map[unsafe.Pointer]unsafe.Pointer
      Source: yqEiP70L9q.exe, 00000000.00000002.3355169774.0000023D901DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\yqEiP70L9q.exeQueries volume information: C:\Users\user\Desktop\yqEiP70L9q.exe VolumeInformationJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 00000000.00000002.3350067606.000000C00014A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 00000000.00000002.3350067606.000000C00014A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: yqEiP70L9q.exe PID: 6392, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      11
      Input Capture
      1
      Security Software Discovery
      Remote Services11
      Input Capture
      Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory12
      System Information Discovery
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      yqEiP70L9q.exe37%ReversingLabsWin64.Trojan.TangoMarte
      yqEiP70L9q.exe100%Joe Sandbox ML
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      143.198.137.110
      unknownUnited States
      15557LDCOMNETFRfalse
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1540485
      Start date and time:2024-10-23 20:28:11 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 29s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:yqEiP70L9q.exe
      renamed because original name is a hash value
      Original Sample Name:30871d0e0185fcffd2d9452ffdd456f6.exe
      Detection:MAL
      Classification:mal72.troj.winEXE@1/1@0/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • VT rate limit hit for: yqEiP70L9q.exe
      No simulations
      No context
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      LDCOMNETFRarm.elfGet hashmaliciousUnknownBrowse
      • 109.2.193.158
      la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
      • 77.156.212.238
      la.bot.arm5.elfGet hashmaliciousUnknownBrowse
      • 77.158.39.181
      la.bot.mips.elfGet hashmaliciousUnknownBrowse
      • 109.12.131.46
      nCEnoU35Wv.elfGet hashmaliciousOkiruBrowse
      • 77.150.69.246
      byte.arm.elfGet hashmaliciousOkiruBrowse
      • 93.17.161.29
      la.bot.m68k.elfGet hashmaliciousUnknownBrowse
      • 86.71.223.125
      la.bot.mips.elfGet hashmaliciousUnknownBrowse
      • 84.98.220.84
      la.bot.arm.elfGet hashmaliciousUnknownBrowse
      • 93.25.192.242
      la.bot.m68k.elfGet hashmaliciousUnknownBrowse
      • 109.16.194.174
      No context
      No context
      Process:C:\Users\user\Desktop\yqEiP70L9q.exe
      File Type:GLS_BINARY_LSB_FIRST
      Category:dropped
      Size (bytes):160
      Entropy (8bit):4.438743916256937
      Encrypted:false
      SSDEEP:3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
      MD5:E467C82627F5E1524FDB4415AF19FC73
      SHA1:B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
      SHA-256:116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
      SHA-512:2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............
      File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
      Entropy (8bit):6.115106466563356
      TrID:
      • Win64 Executable (generic) (12005/4) 74.95%
      • Generic Win/DOS Executable (2004/3) 12.51%
      • DOS Executable Generic (2002/1) 12.50%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
      File name:yqEiP70L9q.exe
      File size:19'317'248 bytes
      MD5:30871d0e0185fcffd2d9452ffdd456f6
      SHA1:9748cce9eabeacc79b7981066f3a1de20017c49b
      SHA256:579b87f1aee0d4dcddb5d3cc69ab2eb61af07a9f41da8a1a5c12453c219f85ba
      SHA512:174a9861c6fcd6f77831fbfd4bd706e7dedfb7a0481725c2fd84663fa140cd1776e5e367a5b24028af2f7815f3fea6f198070e2967d67e81da802ea09f0cb59e
      SSDEEP:98304:oV5mfT7ZBbST4IzqTur8eXWuQrad5yd/ZBC6Ep/EqMLEIJMY:oV5mxBb3TreXWO5yd/ZBCTpcRb
      TLSH:41172A03E8D61195C9E9D1B489214262BA707C9C0B7963DF2B61F7B42F327F05EBA790
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........&.......".................`.........@...............................-...........`... ............................
      Icon Hash:00928e8e8686b000
      Entrypoint:0x45d260
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:1
      File Version Major:6
      File Version Minor:1
      Subsystem Version Major:6
      Subsystem Version Minor:1
      Import Hash:f0ea7b7844bbc5bfa9bb32efdcea957c
      Instruction
      jmp 00007FC9D452D750h
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      pushfd
      cld
      dec eax
      sub esp, 000000E0h
      dec eax
      mov dword ptr [esp], edi
      dec eax
      mov dword ptr [esp+08h], esi
      dec eax
      mov dword ptr [esp+10h], ebp
      dec eax
      mov dword ptr [esp+18h], ebx
      dec esp
      mov dword ptr [esp+20h], esp
      dec esp
      mov dword ptr [esp+28h], ebp
      dec esp
      mov dword ptr [esp+30h], esi
      dec esp
      mov dword ptr [esp+38h], edi
      movups dqword ptr [esp+40h], xmm6
      movups dqword ptr [esp+50h], xmm7
      inc esp
      movups dqword ptr [esp+60h], xmm0
      inc esp
      movups dqword ptr [esp+70h], xmm1
      inc esp
      movups dqword ptr [esp+00000080h], xmm2
      inc esp
      movups dqword ptr [esp+00000090h], xmm3
      inc esp
      movups dqword ptr [esp+000000A0h], xmm4
      inc esp
      movups dqword ptr [esp+000000B0h], xmm5
      inc esp
      movups dqword ptr [esp+000000C0h], xmm6
      inc esp
      movups dqword ptr [esp+000000D0h], xmm7
      dec eax
      sub esp, 30h
      dec ecx
      mov ebp, ecx
      dec ecx
      mov edi, eax
      dec eax
      mov edx, dword ptr [01239A13h]
      dec eax
      mov edx, dword ptr [edx]
      dec eax
      cmp edx, 00000000h
      jne 00007FC9D453141Eh
      dec eax
      mov eax, 00000000h
      jmp 00007FC9D45314E3h
      dec eax
      mov edx, dword ptr [edx]
      dec eax
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x12ab0000x490.idata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x12ac0000x31b92.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x11fa0400x148.data
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000xada58f0xada600bc0a7752638d1d446cbf9cf21ea0e602unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0xadc0000x71d7980x71d80059669ab95ed32db8579e8c98780b0e02unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x11fa0000xb04d00x41a0031850976cb1b39201bceac9944bc3f38False0.3879724702380952data4.782356885965532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0x12ab0000x4900x6002bda1f0c81dfae46ea8b9b606a4f3700False0.337890625data3.7631310752533804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .reloc0x12ac0000x31b920x31c00baa7cce747b2a94c769aa67386b8b189False0.13413257694723618data5.443883940323915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      .symtab0x12de0000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      DLLImport
      kernel32.dllWriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler
      TimestampSource PortDest PortSource IPDest IP
      Oct 23, 2024 20:29:11.746556044 CEST62851443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:12.388644934 CEST44362851143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:12.389255047 CEST62851443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:12.552124023 CEST44362851143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:12.552668095 CEST62851443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:13.044303894 CEST44362851143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:13.044497967 CEST44362851143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:13.534135103 CEST44362851143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:14.145076036 CEST44362851143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:14.183278084 CEST62852443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:14.514678955 CEST44362851143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:14.808820009 CEST44362852143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:14.809674025 CEST62852443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:14.972469091 CEST44362852143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:14.972886086 CEST62852443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:15.153779984 CEST62852443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:15.153779984 CEST62852443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:15.318141937 CEST44362852143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:16.355875015 CEST62853443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:16.468614101 CEST44362851143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:17.013884068 CEST44362853143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:17.014446974 CEST62853443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:17.176186085 CEST44362853143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:17.176758051 CEST62853443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:17.176891088 CEST62853443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:17.176923037 CEST62853443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:17.339755058 CEST44362853143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:17.339837074 CEST44362853143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:17.339857101 CEST44362853143.198.137.110192.168.2.5
      Oct 23, 2024 20:29:17.340393066 CEST62853443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:17.340459108 CEST62853443192.168.2.5143.198.137.110
      Oct 23, 2024 20:29:27.503730059 CEST44362853143.198.137.110192.168.2.5
      Oct 23, 2024 20:30:28.186940908 CEST62080443192.168.2.5143.198.137.110
      Oct 23, 2024 20:30:29.818882942 CEST44362080143.198.137.110192.168.2.5
      Oct 23, 2024 20:30:29.819459915 CEST62080443192.168.2.5143.198.137.110
      Oct 23, 2024 20:30:29.819459915 CEST62080443192.168.2.5143.198.137.110
      Oct 23, 2024 20:30:29.981009007 CEST44362080143.198.137.110192.168.2.5
      Oct 23, 2024 20:30:29.981609106 CEST44362080143.198.137.110192.168.2.5
      Oct 23, 2024 20:30:29.981715918 CEST62080443192.168.2.5143.198.137.110
      Oct 23, 2024 20:30:29.981715918 CEST62080443192.168.2.5143.198.137.110
      Oct 23, 2024 20:30:29.981767893 CEST62080443192.168.2.5143.198.137.110
      Oct 23, 2024 20:30:30.145464897 CEST44362080143.198.137.110192.168.2.5
      Oct 23, 2024 20:30:30.146543026 CEST44362080143.198.137.110192.168.2.5
      Oct 23, 2024 20:30:30.146755934 CEST62080443192.168.2.5143.198.137.110
      Oct 23, 2024 20:30:30.147118092 CEST44362080143.198.137.110192.168.2.5
      Oct 23, 2024 20:30:30.147361994 CEST62080443192.168.2.5143.198.137.110
      Oct 23, 2024 20:30:40.310113907 CEST44362080143.198.137.110192.168.2.5
      TimestampSource IPDest IPChecksumCodeType
      Oct 23, 2024 20:29:13.534353018 CEST192.168.2.5143.198.137.110d9e8(Port unreachable)Destination Unreachable
      Oct 23, 2024 20:29:14.514904022 CEST192.168.2.5143.198.137.110d9e8(Port unreachable)Destination Unreachable
      Oct 23, 2024 20:29:16.468708992 CEST192.168.2.5143.198.137.110d9e8(Port unreachable)Destination Unreachable
      Oct 23, 2024 20:29:27.503855944 CEST192.168.2.5143.198.137.110d918(Port unreachable)Destination Unreachable
      Oct 23, 2024 20:30:40.310339928 CEST192.168.2.5143.198.137.110d918(Port unreachable)Destination Unreachable

      Click to jump to process

      Click to jump to process

      Click to dive into process behavior distribution

      Target ID:0
      Start time:14:29:10
      Start date:23/10/2024
      Path:C:\Users\user\Desktop\yqEiP70L9q.exe
      Wow64 process (32bit):false
      Commandline:"C:\Users\user\Desktop\yqEiP70L9q.exe"
      Imagebase:0xf90000
      File size:19'317'248 bytes
      MD5 hash:30871D0E0185FCFFD2D9452FFDD456F6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Go lang
      Yara matches:
      • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000000.00000002.3350067606.000000C00014A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000000.00000002.3348938024.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
      • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000000.00000000.2109123957.0000000001D4F000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
      Reputation:low
      Has exited:false

      No disassembly