Windows Analysis Report
VBqmdl6ttr.exe

Overview

General Information

Sample name: VBqmdl6ttr.exe
renamed because original name is a hash value
Original sample name: 9fd4c19371695542b32c3affee29c23939e18d6ec52a3d7329fc31bba5c870d6.exe
Analysis ID: 1542744
MD5: 4139a824287596151a7fbc2e357a33ad
SHA1: 8f0a5e23c48a42320594090f1a24dd5cd32e194d
SHA256: 9fd4c19371695542b32c3affee29c23939e18d6ec52a3d7329fc31bba5c870d6
Tags: 20-25-126-96exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: VBqmdl6ttr.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/cm", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for submitted file
Source: VBqmdl6ttr.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: VBqmdl6ttr.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96A1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_000001D7C96A1184
Source: VBqmdl6ttr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B975C malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_000001D7C96B975C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B2170 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_000001D7C96B2170
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 4x nop then sub rsp, 58h 0_2_00007FF7F72D2E70

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 20.25.126.96
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B60F8 recv, 0_2_000001D7C96B60F8
Source: VBqmdl6ttr.exe, 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:%u/
Source: VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.1492910943.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/
Source: VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.1492910943.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/4
Source: VBqmdl6ttr.exe, 00000000.00000003.2118756330.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/6
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C9457000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cm
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2418998322.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2118756330.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmD
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmf
Source: VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/cmr
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96/m
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94C2000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C9457000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://20.25.126.96:443/cm
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Contains functionality to call native functions
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_00007FF7F72D16CA GetCurrentProcess,GetCurrentProcess,NtCreateJobSet,GetCurrentProcess,NtCompareSigningLevels, 0_2_00007FF7F72D16CA
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_00007FF7F72D1C4B NtAccessCheckAndAuditAlarm, 0_2_00007FF7F72D1C4B
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_00007FF7F72D1C97 GetCurrentProcess,NtSetTimer, 0_2_00007FF7F72D1C97
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_00007FF7F72D14D8 GetCurrentProcess,GetCurrentProcess,NtAlpcCreatePortSection,GetCurrentProcess,GetCurrentProcess,NtCreatePagingFile, 0_2_00007FF7F72D14D8
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B17A8 CreateProcessWithLogonW,GetLastError, 0_2_000001D7C96B17A8
Detected potential crypto function
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9421840 0_2_000001D7C9421840
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9421858 0_2_000001D7C9421858
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9400874 0_2_000001D7C9400874
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9421818 0_2_000001D7C9421818
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C941D820 0_2_000001D7C941D820
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9421828 0_2_000001D7C9421828
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9421830 0_2_000001D7C9421830
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C94218B8 0_2_000001D7C94218B8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C94218C0 0_2_000001D7C94218C0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C94148E0 0_2_000001D7C94148E0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9421898 0_2_000001D7C9421898
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9407FB8 0_2_000001D7C9407FB8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C94217B8 0_2_000001D7C94217B8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C94217C0 0_2_000001D7C94217C0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C941BFE0 0_2_000001D7C941BFE0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9421798 0_2_000001D7C9421798
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C94217A0 0_2_000001D7C94217A0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C94217A8 0_2_000001D7C94217A8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9411A88 0_2_000001D7C9411A88
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C941214C 0_2_000001D7C941214C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C93F916C 0_2_000001D7C93F916C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9407474 0_2_000001D7C9407474
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9414BFC 0_2_000001D7C9414BFC
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9416414 0_2_000001D7C9416414
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9414C18 0_2_000001D7C9414C18
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9410C34 0_2_000001D7C9410C34
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9412C9C 0_2_000001D7C9412C9C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C941B370 0_2_000001D7C941B370
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C941CBC7 0_2_000001D7C941CBC7
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C93FCE40 0_2_000001D7C93FCE40
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C940FE70 0_2_000001D7C940FE70
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C941EE30 0_2_000001D7C941EE30
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C93F9680 0_2_000001D7C93F9680
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C941CEB0 0_2_000001D7C941CEB0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B8074 0_2_000001D7C96B8074
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96C1834 0_2_000001D7C96C1834
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96C7014 0_2_000001D7C96C7014
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96C389C 0_2_000001D7C96C389C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96CBF70 0_2_000001D7C96CBF70
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96CD7C7 0_2_000001D7C96CD7C7
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96C0A70 0_2_000001D7C96C0A70
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96ADA40 0_2_000001D7C96ADA40
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96CFA30 0_2_000001D7C96CFA30
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96CDAB0 0_2_000001D7C96CDAB0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96AA280 0_2_000001D7C96AA280
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B1474 0_2_000001D7C96B1474
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96CE420 0_2_000001D7C96CE420
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96CCBE0 0_2_000001D7C96CCBE0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B8BB8 0_2_000001D7C96B8BB8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96C2688 0_2_000001D7C96C2688
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96A9D6C 0_2_000001D7C96A9D6C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96C2D4C 0_2_000001D7C96C2D4C
PE file contains more sections than normal
Source: VBqmdl6ttr.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: VBqmdl6ttr.exe, 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs VBqmdl6ttr.exe
Source: VBqmdl6ttr.exe Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs VBqmdl6ttr.exe
Yara signature match
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B10B0 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_000001D7C96B10B0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B3FA4 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep, 0_2_000001D7C96B3FA4
Source: VBqmdl6ttr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: VBqmdl6ttr.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe File read: C:\Users\user\Desktop\VBqmdl6ttr.exe Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: VBqmdl6ttr.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: VBqmdl6ttr.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96AD840 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_000001D7C96AD840
PE file contains sections with non-standard names
Source: VBqmdl6ttr.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C9427F8C push 0000006Ah; retf 0_2_000001D7C9427FA4
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96D918C push 0000006Ah; retf 0_2_000001D7C96D91A4
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96C0A70 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_000001D7C96C0A70

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96AFF5C 0_2_000001D7C96AFF5C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B5D98 0_2_000001D7C96B5D98
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe API coverage: 7.4 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B5D98 0_2_000001D7C96B5D98
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe TID: 5864 Thread sleep time: -60000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B975C malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_000001D7C96B975C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B2170 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_000001D7C96B2170
Source: VBqmdl6ttr.exe, 00000000.00000003.2093408888.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095684788.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.1493109439.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2118756330.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C9457000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2096075885.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96D0040 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte, 0_2_000001D7C96D0040
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96C9F80 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_000001D7C96C9F80
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96AD840 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_000001D7C96AD840
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96CC8FC _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock, 0_2_000001D7C96CC8FC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_00007FF7F72D1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF7F72D1180
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe NtProtectVirtualMemory: Indirect: 0x7FF7F72D1768 Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe NtProtectVirtualMemory: Indirect: 0x7FF7F72D1593 Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe NtCreateThreadEx: Indirect: 0x7FF7F72D17B1 Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe NtMapViewOfSection: Indirect: 0x7FF7F72D1D04 Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe NtProtectVirtualMemory: Indirect: 0x7FF7F72D15F6 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96BE45C LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError, 0_2_000001D7C96BE45C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96BE3D4 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_000001D7C96BE3D4
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B0E60 CreateNamedPipeA, 0_2_000001D7C96B0E60
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96AF900 GetLocalTime, 0_2_000001D7C96AF900
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B6368 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf, 0_2_000001D7C96B6368
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B6368 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf, 0_2_000001D7C96B6368
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR
Source: Yara match File source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B6FB4 socket,htons,ioctlsocket,closesocket,bind,listen, 0_2_000001D7C96B6FB4
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96BF398 socket,closesocket,htons,bind,listen, 0_2_000001D7C96BF398
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe Code function: 0_2_000001D7C96B6BAC htonl,htons,socket,closesocket,bind,ioctlsocket, 0_2_000001D7C96B6BAC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542744 Sample: VBqmdl6ttr.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 11 Found malware configuration 2->11 13 Malicious sample detected (through community Yara rule) 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 6 other signatures 2->17 5 VBqmdl6ttr.exe 2->5         started        process3 dnsIp4 9 20.25.126.96, 443, 49706, 49707 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 5->9 19 Found direct / indirect Syscall (likely to bypass EDR) 5->19 21 Contains functionality to detect sleep reduction / modifications 5->21 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
20.25.126.96
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
20.25.126.96 true
    		unknown