Edit tour

Windows Analysis Report
6GUgc6JYS1.exe

Overview

General Information

Sample name:	6GUgc6JYS1.exe renamed because original name is a hash value
Original sample name:	cf580830ecedcd498730091d01b92c1fde220d95f1fa677ce88f1a17f236b6b8.exe
Analysis ID:	1542745
MD5:	789bf0a8714e77d0d524ba22d8efbd7e
SHA1:	61c56b19c55020494fa19faa3d1b7a2f070259df
SHA256:	cf580830ecedcd498730091d01b92c1fde220d95f1fa677ce88f1a17f236b6b8
Tags:	20-25-126-96exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike, Metasploit

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

6GUgc6JYS1.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\6GUgc6JYS1.exe" MD5: 789BF0A8714E77D0D524BA22D8EFBD7E)

WerFault.exe (PID: 7088 cmdline: C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"C2Server": "http://20.25.126.96:443/bDDs", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)\r\n"}

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)\r\n", "Type": "Metasploit Download", "URL": "http://20.25.126.96/bDDs"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x213bf:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x2142b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T09:11:36.563533+0200	2028765	3	Unknown Traffic	192.168.2.12	49710	20.25.126.96	443	TCP
2024-10-26T09:11:38.792427+0200	2028765	3	Unknown Traffic	192.168.2.12	49713	20.25.126.96	443	TCP
2024-10-26T09:11:40.928461+0200	2028765	3	Unknown Traffic	192.168.2.12	49716	20.25.126.96	443	TCP
2024-10-26T09:11:43.046909+0200	2028765	3	Unknown Traffic	192.168.2.12	49719	20.25.126.96	443	TCP
2024-10-26T09:11:45.159166+0200	2028765	3	Unknown Traffic	192.168.2.12	49722	20.25.126.96	443	TCP
2024-10-26T09:11:47.312952+0200	2028765	3	Unknown Traffic	192.168.2.12	49725	20.25.126.96	443	TCP
2024-10-26T09:11:49.412285+0200	2028765	3	Unknown Traffic	192.168.2.12	49728	20.25.126.96	443	TCP
2024-10-26T09:11:51.549927+0200	2028765	3	Unknown Traffic	192.168.2.12	49732	20.25.126.96	443	TCP
2024-10-26T09:11:53.653075+0200	2028765	3	Unknown Traffic	192.168.2.12	49740	20.25.126.96	443	TCP
2024-10-26T09:11:55.932749+0200	2028765	3	Unknown Traffic	192.168.2.12	49744	20.25.126.96	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: CobaltStrike {"C2Server": "http://20.25.126.96:443/bDDs", "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)\r\n"}
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727)\r\n", "Type": "Metasploit Download", "URL": "http://20.25.126.96/bDDs"}

Multi AV Scanner detection for submitted file

Source: 6GUgc6JYS1.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 6GUgc6JYS1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Code function: 4x nop then sub rsp, 58h

1_2_00007FF78FD22C20

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://20.25.126.96:443/bDDs
Source: Malware configuration extractor	URLs: http://20.25.126.96/bDDs

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49725 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49728 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49744 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49719 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49710 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49732 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49716 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49722 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49740 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.12:49713 -> 20.25.126.96:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2572448652.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC9C000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/%
Source: 6GUgc6JYS1.exe, 00000001.00000003.2583324428.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2572448652.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/.i$x
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/2
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/DDs
Source: 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/Y
Source: 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDs
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDs2i
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDsF
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/bDDsH:px6
Source: 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD219FB NtAccessCheckAndAuditAlarm,	1_2_00007FF78FD219FB
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD21485 GetCurrentProcess,GetCurrentProcess,NtAlpcCreatePortSection,GetCurrentProcess,NtQueryInformationEnlistment,	1_2_00007FF78FD21485
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_00007FF78FD21A47 GetCurrentProcess,NtSetTimer,	1_2_00007FF78FD21A47

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228

Source: 6GUgc6JYS1.exe

Static PE information: Number of sections : 11 > 10

Source: 6GUgc6JYS1.exe, 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs 6GUgc6JYS1.exe
Source: 6GUgc6JYS1.exe	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs 6GUgc6JYS1.exe

Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, type: DROPPED	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal92.troj.evad.winEXE@2/5@0/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6608

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d1df4113-672f-494d-ae55-1bc242b60e66

Jump to behavior

Source: 6GUgc6JYS1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6GUgc6JYS1.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

File read: C:\Users\user\Desktop\6GUgc6JYS1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6GUgc6JYS1.exe "C:\Users\user\Desktop\6GUgc6JYS1.exe"
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: 6GUgc6JYS1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 6GUgc6JYS1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: 6GUgc6JYS1.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC1010C push esp; retf	1_2_000002598BC101C4
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC1012B push eax; ret	1_2_000002598BC10387
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	Code function: 1_2_000002598BC10310 push eax; ret	1_2_000002598BC10387

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe

Code function: 1_2_00007FF78FD21180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,

1_2_00007FF78FD21180

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtMapViewOfSection: Indirect: 0x7FF78FD21AB4	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtCreateThreadEx: Indirect: 0x7FF78FD21562	Jump to behavior
Source: C:\Users\user\Desktop\6GUgc6JYS1.exe	NtProtectVirtualMemory: Indirect: 0x7FF78FD21519	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match

File source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Metasploit Payload

Source: Yara match

File source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6GUgc6JYS1.exe	53%	ReversingLabs	Win64.Trojan.CobaltStrike

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://20.25.126.96/bDDs	true		unknown
http://20.25.126.96:443/bDDs	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://20.25.126.96/Y	6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/bDDs2i	6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/bDDs	6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/bDDsH:px6	6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/2	6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC9C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/	6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2572448652.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC9C000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BC73000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/bDDsF	6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/DDs	6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
https://20.25.126.96/.i$x	6GUgc6JYS1.exe, 00000001.00000003.2583324428.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2572448652.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2667657249.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/l	6GUgc6JYS1.exe, 00000001.00000003.2561670111.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp, 6GUgc6JYS1.exe, 00000001.00000003.2551113364.000002598BCD2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/%	6GUgc6JYS1.exe, 00000001.00000002.2742214638.000002598BCA6000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.25.126.96	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542745
Start date and time:	2024-10-26 09:10:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6GUgc6JYS1.exe renamed because original name is a hash value
Original Sample Name:	cf580830ecedcd498730091d01b92c1fde220d95f1fa677ce88f1a17f236b6b8.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 8 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 6GUgc6JYS1.exe

Simulations

Behavior and APIs

Time	Type	Description
03:12:01	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
20.25.126.96	Ljrfk7uRvO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	Ljrfk7uRvO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	20.25.126.96
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.60
	https://load.aberegg-immobilien.ch/	Get hash	malicious	HTMLPhisher	Browse	40.126.31.73
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	22.252.12.135
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	20.57.78.10
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	21.238.75.88
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	40.99.246.89
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	22.36.15.81
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	22.23.166.67
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	20.189.202.203

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6GUgc6JYS1.exe_14b8f6c7377787902fbdfdce8cfba71edc84f2_d9c5afb0_0b286928-5b74-4105-9195-d990964fe4a3\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8902174182806722
Encrypted:	false
SSDEEP:	96:iLFQfuv3+/sa2Coh7JfTQXIDcQWc6zcEZcw37n+HbHg/5jgOg0dl/phsv5o1OyWW:MLvu/v0I3DEjZ7yzuiFCZ24lO8Te
MD5:	7E020017FA17FA6F8252756296A3FE3B
SHA1:	8A5131A2820BCAA053C4DBF87E16CF77CDBD4F5E
SHA-256:	115ECCEC8F395FDEC41C5D04EF94666935B31CC36468A519DF492746169029FF
SHA-512:	21F3E4E21EAAA07C2425CB59E989D5C279BC516D2CE2BC71894727A1AF9513696192C19E8968A99345AAE23B685F93AF0C9C10EE130140D7690D39E3074FBEF6
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.0.0.3.1.6.5.9.7.2.8.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.0.0.3.1.6.9.7.2.2.8.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.2.8.6.9.2.8.-.5.b.7.4.-.4.1.0.5.-.9.1.9.5.-.d.9.9.0.9.6.4.f.e.4.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.a.2.6.4.5.7.-.5.c.b.d.-.4.b.a.7.-.b.b.8.d.-.b.c.3.c.e.f.8.3.9.5.a.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.6.G.U.g.c.6.J.Y.S.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.d.0.-.0.0.0.1.-.0.0.1.4.-.6.8.2.3.-.1.c.4.a.7.6.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.a.b.c.1.c.9.6.5.d.8.5.7.3.1.9.e.f.a.7.0.1.d.3.1.8.e.c.e.b.f.5.0.0.0.0.0.9.0.4.!.0.0.0.0.6.1.c.5.6.b.1.9.c.5.5.0.2.0.4.9.4.f.a.1.9.f.a.a.3.d.1.b.7.a.2.f.0.7.0.2.5.9.d.f.!.6.G.U.g.c.6.J.Y.S.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.2.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Oct 26 07:11:56 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	159734
Entropy (8bit):	1.3021244577485591
Encrypted:	false
SSDEEP:	384:nyCEX5vNwAOK3DR/62N5t3akw74uM1KjE5qdQt58:nL85FwAOcVSG5t3akw74VL5QQw
MD5:	C0AC191691F22EC7492F8AD8B057D770
SHA1:	93E287CFDD352E094CED28B76D04456F6111ECA5
SHA-256:	C1A12A4F64F2BBAFE6D45871DFAF5C8B13CBCAC8D28234C5285AECACB932873D
SHA-512:	BDE0DF232B2A7D0EC2381B47CD5FCB6DE791AF485A1B555CD426D38A27C320FF743FE2CD5F0DE219A1DA636E0601DCDDC0CCCB47C77ADE8CE40E4114C2016439
Malicious:	false
Yara Hits:	Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp, Author: unknown
Reputation:	low
Preview:	MDMP..a..... .......<..g.........................................Z..........T.......8...........T...............VA......................................................................................................eJ..............Lw......................T...........&..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E94.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8812
Entropy (8bit):	3.7110211166131153
Encrypted:	false
SSDEEP:	192:R6l7wVeJOHEP6Y+izpgmfWYoJpDa89b3ddfadm:R6lXJuE6YbzpgmfWYof3nfJ
MD5:	28E3487898A8A9F6333A7027C90429D4
SHA1:	2982EDF69F8DD684D51AEB01E281452528A09DE8
SHA-256:	469D29D5DA9682EF0095AB303836CFCE7ECBD79B87AC3E154037E27EB7BB454D
SHA-512:	23DB188CBFFC64DA234A5176955752A23BB801078D7AD1A83F96F93ABBED04907D32A6E63384F3AF2B4AB3DEFA0E7F16FE3496A2851AD990D01FF28956874E33
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EC3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4701
Entropy (8bit):	4.505379579987411
Encrypted:	false
SSDEEP:	48:cvIwWl8zsI/Jg771I9N/OWpW8VYJYm8M4JOlFOKFAyq85j+QONKi/LE4gzTfd:uIjfSI7yv7VFJOvEyDOfzErTfd
MD5:	602D680BABEC94E2A1A7CA542049B7E6
SHA1:	88B4AF2E6A1C22EA9EE9C649B6B93092A8079367
SHA-256:	0B29A01BE9BA79774B54DBD2B26B7818B3341683FB2B43DFA801FEA87911D3ED
SHA-512:	4C844227400D5DCFB43405D0C9EE08E2D09F790ED99C07C54FAAEE33EA6B300797568A54D49DF8EC6E68428AC01733297216096E8F576E8E62E2D5455A932A51
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560054" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.569187439173982
Encrypted:	false
SSDEEP:	6144:ooPefZnQMa3tfLXbn90foomgsattlbSldrUHT7hSgkSNv0juQJYchUJvTGAGBsLq:lPPAooVJHnsg/d1TsqGn
MD5:	36260AE22F8B73E4B96085F9356E8DE8
SHA1:	B2C9C092DA18315AE9117B0EEBB74C3713D8D0FD
SHA-256:	9BA9EEA9C99AF22C809FF8354BB68806657F9ADDD8A94D8A4C050218D10F3012
SHA-512:	E3A71076684C4D0022A9B9A5FE6C21C4D81649587FB25FAAAB5857619D079A57D54D2D7E1AEA2D2AD621C77F66D23820A4E541EC344B9114FA73F663706DCBC0
Malicious:	false
Reputation:	low
Preview:	regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.8.Wv'..............................................................................................................................................................................................................................................................................................................................................~.c........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.361963209685598
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	6GUgc6JYS1.exe
File size:	23'040 bytes
MD5:	789bf0a8714e77d0d524ba22d8efbd7e
SHA1:	61c56b19c55020494fa19faa3d1b7a2f070259df
SHA256:	cf580830ecedcd498730091d01b92c1fde220d95f1fa677ce88f1a17f236b6b8
SHA512:	70cfde0ebc2dec25bf28873269543351cc8a218e6a0d5d7b6f3d3c87673aa81ad0187ed6990ed82875455b621ec49a02f875760c6bf6c7359971658d05af933b
SSDEEP:	384:Y021unhcOSuFUKrxzk+kzekzLko0nN7WIeW:Yt0GOHF5lk+kKkzLz0nJ
TLSH:	E7A2084FFB9258ECC21ED03985EA9B31AD71B86044905B2FE778ED711F20961AF39352
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............+.,...V...".............@..........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6718BD08 [Wed Oct 23 09:08:24 2024 UTC]
TLS Callbacks:	0x40002890, 0x1, 0x40002860, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a3f3b74a6140351f8e7200ddf88e2e48

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00004015h]
mov dword ptr [eax], 00000001h
call 00007FD86C7D8C4Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00003FF5h]
mov dword ptr [eax], 00000000h
call 00007FD86C7D8C2Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FD86C7DB3ACh
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FD86C7D8E89h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
jmp ecx
dec eax
arpl word ptr [00002BB6h], ax
test eax, eax
jle 00007FD86C7D8ED8h
cmp dword ptr [00002BAFh], 00000000h
jle 00007FD86C7D8ECFh
dec eax
mov edx, dword ptr [00009D8Ah]
dec eax
mov dword ptr [ecx+eax], edx
dec eax
mov edx, dword ptr [00009D87h]
dec eax
arpl word ptr [00002B94h], ax
dec eax
mov dword ptr [ecx+eax], edx
ret
push ebp
push edi
push esi
push ebx
dec eax
sub esp, 00000088h
dec eax
arpl dx, ax
dec eax
mov edi, ecx
xor ecx, ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb000	0x6e4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6000	0x3fc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf000	0x7c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5040	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb1d0	0x190	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2aa8	0x2c00	88650f3b39c64c8fc929476a25b66439	False	0.5095880681818182	data	6.038952498895535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0x4b0	0x600	22b93c3335383d8ae590e670f7bd6e68	False	0.6725260416666666	data	5.983486071991815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5000	0x950	0xa00	3549a44efb7dacab789f7957db19e9bf	False	0.23046875	data	3.974332583159687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x6000	0x3fc	0x400	af3a5fc9405581543e9fe642c8b3cfe4	False	0.50390625	data	4.1070762649908765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x7000	0x2c4	0x400	f9f84d96f7d46b6459820b4f8305922d	False	0.2861328125	data	2.896667181484537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x8000	0x2120	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb000	0x6e4	0x800	40bc1346723ef460d9e793bf7985fe91	False	0.3212890625	data	3.5144818216706186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xc000	0x60	0x200	5ef26311a99fa82b8c36b2288f406e7d	False	0.068359375	data	0.28655982431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xd000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xe000	0x3e8	0x400	5d241ef7651954dadb8e43a444c74261	False	0.4482421875	data	3.325221446899578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf000	0x7c	0x200	e9430c9e167f4b5795a489747c577ff7	False	0.2421875	data	1.4308862585029796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe058	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data	English	United States	0.46365638766519823

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, abort, calloc, exit, fclose, fopen, fprintf, fread, free, fsetpos, fwrite, malloc, mbstowcs, memcmp, memcpy, rand, signal, strlen, strncmp, vfprintf, wcsncat, wcsncpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-26T09:11:36.563533+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49710	20.25.126.96	443	TCP
2024-10-26T09:11:38.792427+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49713	20.25.126.96	443	TCP
2024-10-26T09:11:40.928461+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49716	20.25.126.96	443	TCP
2024-10-26T09:11:43.046909+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49719	20.25.126.96	443	TCP
2024-10-26T09:11:45.159166+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49722	20.25.126.96	443	TCP
2024-10-26T09:11:47.312952+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49725	20.25.126.96	443	TCP
2024-10-26T09:11:49.412285+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49728	20.25.126.96	443	TCP
2024-10-26T09:11:51.549927+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49732	20.25.126.96	443	TCP
2024-10-26T09:11:53.653075+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49740	20.25.126.96	443	TCP
2024-10-26T09:11:55.932749+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.12	49744	20.25.126.96	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 09:11:35.497083902 CEST	49710	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:35.497133017 CEST	443	49710	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:35.497252941 CEST	49710	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:35.507602930 CEST	49710	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:35.507632971 CEST	443	49710	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:36.563286066 CEST	443	49710	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:36.563533068 CEST	49710	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:36.594609022 CEST	49710	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:36.594636917 CEST	443	49710	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:36.655646086 CEST	49711	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:36.655700922 CEST	443	49711	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:36.655776024 CEST	49711	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:36.656140089 CEST	49711	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:36.656155109 CEST	443	49711	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:37.734308004 CEST	443	49711	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:37.734417915 CEST	49711	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.734534979 CEST	49711	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.734555006 CEST	443	49711	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:37.735335112 CEST	49712	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.735435963 CEST	443	49712	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:37.735536098 CEST	49712	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.735646009 CEST	49712	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.735692024 CEST	443	49712	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:37.735747099 CEST	49712	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.736633062 CEST	49713	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.736676931 CEST	443	49713	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:37.736740112 CEST	49713	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.737027884 CEST	49713	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:37.737044096 CEST	443	49713	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:38.792326927 CEST	443	49713	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:38.792427063 CEST	49713	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:38.792519093 CEST	49713	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:38.792538881 CEST	443	49713	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:38.793190002 CEST	49714	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:38.793253899 CEST	443	49714	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:38.793339014 CEST	49714	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:38.793833017 CEST	49714	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:38.793862104 CEST	443	49714	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:39.854671955 CEST	443	49714	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:39.854752064 CEST	49714	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.854854107 CEST	49714	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.854877949 CEST	443	49714	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:39.855705023 CEST	49715	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.855742931 CEST	443	49715	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:39.855827093 CEST	49715	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.855952024 CEST	49715	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.855988979 CEST	443	49715	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:39.856055021 CEST	49715	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.856913090 CEST	49716	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.856961012 CEST	443	49716	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:39.857018948 CEST	49716	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.857420921 CEST	49716	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:39.857438087 CEST	443	49716	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:40.928323030 CEST	443	49716	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:40.928461075 CEST	49716	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:40.928617954 CEST	49716	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:40.928632975 CEST	443	49716	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:40.929383039 CEST	49717	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:40.929425955 CEST	443	49717	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:40.929507017 CEST	49717	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:40.929742098 CEST	49717	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:40.929757118 CEST	443	49717	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:41.991852045 CEST	443	49717	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:41.991959095 CEST	49717	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.992046118 CEST	49717	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.992065907 CEST	443	49717	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:41.992644072 CEST	49718	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.992691994 CEST	443	49718	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:41.992748022 CEST	49718	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.992820978 CEST	49718	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.992889881 CEST	443	49718	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:41.992938995 CEST	49718	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.997992992 CEST	49719	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.998011112 CEST	443	49719	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:41.998070002 CEST	49719	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.999449015 CEST	49719	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:41.999465942 CEST	443	49719	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:43.046785116 CEST	443	49719	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:43.046909094 CEST	49719	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:43.047147036 CEST	49719	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:43.047166109 CEST	443	49719	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:43.051527977 CEST	49720	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:43.051567078 CEST	443	49720	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:43.051639080 CEST	49720	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:43.052032948 CEST	49720	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:43.052047968 CEST	443	49720	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:44.101308107 CEST	443	49720	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:44.101404905 CEST	49720	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.104733944 CEST	49720	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.104770899 CEST	443	49720	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:44.106872082 CEST	49721	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.106909990 CEST	443	49721	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:44.106972933 CEST	49721	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.107078075 CEST	49721	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.107129097 CEST	443	49721	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:44.107182026 CEST	49721	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.108058929 CEST	49722	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.108088970 CEST	443	49722	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:44.108151913 CEST	49722	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.108406067 CEST	49722	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:44.108419895 CEST	443	49722	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:45.158934116 CEST	443	49722	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:45.159166098 CEST	49722	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:45.182763100 CEST	49722	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:45.182796001 CEST	443	49722	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:45.211158037 CEST	49723	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:45.211193085 CEST	443	49723	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:45.211338043 CEST	49723	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:45.211730957 CEST	49723	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:45.211746931 CEST	443	49723	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:46.269875050 CEST	443	49723	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:46.270025015 CEST	49723	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.270090103 CEST	49723	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.270116091 CEST	443	49723	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:46.272933960 CEST	49724	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.272993088 CEST	443	49724	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:46.273072958 CEST	49724	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.273168087 CEST	49724	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.273240089 CEST	443	49724	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:46.273294926 CEST	49724	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.274260044 CEST	49725	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.274296999 CEST	443	49725	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:46.274360895 CEST	49725	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.274652004 CEST	49725	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:46.274667978 CEST	443	49725	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:47.312789917 CEST	443	49725	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:47.312952042 CEST	49725	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:47.313077927 CEST	49725	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:47.313095093 CEST	443	49725	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:47.314095020 CEST	49726	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:47.314160109 CEST	443	49726	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:47.314248085 CEST	49726	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:47.314583063 CEST	49726	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:47.314599991 CEST	443	49726	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:48.350248098 CEST	443	49726	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:48.350409031 CEST	49726	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.350702047 CEST	49726	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.350730896 CEST	443	49726	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:48.352202892 CEST	49727	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.352242947 CEST	443	49727	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:48.352375984 CEST	49727	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.352601051 CEST	49727	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.352636099 CEST	443	49727	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:48.352722883 CEST	49727	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.360393047 CEST	49728	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.360411882 CEST	443	49728	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:48.360546112 CEST	49728	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.361232996 CEST	49728	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:48.361244917 CEST	443	49728	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:49.412168026 CEST	443	49728	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:49.412285089 CEST	49728	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:49.412368059 CEST	49728	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:49.412389040 CEST	443	49728	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:49.413283110 CEST	49729	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:49.413341045 CEST	443	49729	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:49.413429976 CEST	49729	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:49.413737059 CEST	49729	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:49.413755894 CEST	443	49729	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:50.484500885 CEST	443	49729	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:50.484582901 CEST	49729	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.484668970 CEST	49729	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.484692097 CEST	443	49729	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:50.485275030 CEST	49731	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.485307932 CEST	443	49731	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:50.485372066 CEST	49731	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.485428095 CEST	49731	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.485460043 CEST	443	49731	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:50.485501051 CEST	49731	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.486453056 CEST	49732	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.486483097 CEST	443	49732	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:50.486547947 CEST	49732	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.486913919 CEST	49732	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:50.486924887 CEST	443	49732	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:51.549854040 CEST	443	49732	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:51.549926996 CEST	49732	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:51.550039053 CEST	49732	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:51.550050020 CEST	443	49732	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:51.551340103 CEST	49736	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:51.551415920 CEST	443	49736	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:51.551872969 CEST	49736	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:51.552227020 CEST	49736	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:51.552252054 CEST	443	49736	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:52.607800961 CEST	443	49736	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:52.607954025 CEST	49736	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.608061075 CEST	49736	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.608083963 CEST	443	49736	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:52.608664989 CEST	49739	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.608716011 CEST	443	49739	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:52.608798027 CEST	49739	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.608906984 CEST	49739	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.608937979 CEST	443	49739	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:52.608994007 CEST	49739	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.610008001 CEST	49740	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.610060930 CEST	443	49740	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:52.610137939 CEST	49740	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.610428095 CEST	49740	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:52.610445976 CEST	443	49740	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:53.653008938 CEST	443	49740	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:53.653074980 CEST	49740	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:53.653165102 CEST	49740	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:53.653179884 CEST	443	49740	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:53.653816938 CEST	49742	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:53.653841019 CEST	443	49742	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:53.653995037 CEST	49742	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:53.654305935 CEST	49742	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:53.654314995 CEST	443	49742	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:54.703380108 CEST	443	49742	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:54.703479052 CEST	49742	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.703562975 CEST	49742	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.703578949 CEST	443	49742	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:54.706656933 CEST	49743	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.706770897 CEST	443	49743	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:54.706906080 CEST	49743	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.706998110 CEST	49743	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.707025051 CEST	443	49743	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:54.707077026 CEST	49743	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.710196972 CEST	49744	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.710258007 CEST	443	49744	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:54.710361958 CEST	49744	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.710763931 CEST	49744	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:54.710788965 CEST	443	49744	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:55.932692051 CEST	443	49744	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:55.932749033 CEST	49744	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:55.932858944 CEST	49744	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:55.932887077 CEST	443	49744	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:55.933635950 CEST	49745	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:55.933687925 CEST	443	49745	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:55.933748007 CEST	49745	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:55.934338093 CEST	49745	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:55.934350014 CEST	443	49745	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:56.974122047 CEST	443	49745	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:56.974323034 CEST	49745	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:56.974427938 CEST	49745	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:56.974445105 CEST	443	49745	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:56.975295067 CEST	49746	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:56.975368023 CEST	443	49746	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:56.975455999 CEST	49746	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:56.975595951 CEST	49746	443	192.168.2.12	20.25.126.96
Oct 26, 2024 09:11:56.975636959 CEST	443	49746	20.25.126.96	192.168.2.12
Oct 26, 2024 09:11:56.975688934 CEST	49746	443	192.168.2.12	20.25.126.96

Target ID:	1
Start time:	03:11:34
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\6GUgc6JYS1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\6GUgc6JYS1.exe"
Imagebase:	0x7ff78fd20000
File size:	23'040 bytes
MD5 hash:	789BF0A8714E77D0D524BA22D8EFBD7E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:11:56
Start date:	26/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6608 -s 1228
Imagebase:	0x7ff603290000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.2%
Total number of Nodes:	196
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF78FD21180 Relevance: 10.6, APIs: 7, Instructions: 138
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF78FD213E6), ref: 00007FF78FD211BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF78FD2122F
malloc.MSVCRT ref: 00007FF78FD21263
strlen.MSVCRT ref: 00007FF78FD21284
malloc.MSVCRT ref: 00007FF78FD21290
memcpy.MSVCRT ref: 00007FF78FD212A8

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: 74e2acfbdd2222695438d7060340a825c6e38bbb22b53d49880a21e2da7959d6
Instruction ID: 466b4b5599ec479f8a41c0d4ccfa430ecf365b1fb75b736f13643241be4aeda6
Opcode Fuzzy Hash: 74e2acfbdd2222695438d7060340a825c6e38bbb22b53d49880a21e2da7959d6
Instruction Fuzzy Hash: 01512536E0968285F610BB15ADA16B9E2A1BF85B85FE49035DB0E47395CE3CF441C3F0

Function 00007FF78FD21A47 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF78FD21A64

Strings

@, xrefs: 00007FF78FD21A9A

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: CurrentProcess
String ID: @
API String ID: 2050909247-2766056989
Opcode ID: 261fdf325cd2908af581aa48cf2c5f8fee024366996ec8c160c08fbd857218c0
Instruction ID: fc4c60db067469c10cb6dd9e72d78bdd0ccfb091196182f433dbcec55dd2fcfe
Opcode Fuzzy Hash: 261fdf325cd2908af581aa48cf2c5f8fee024366996ec8c160c08fbd857218c0
Instruction Fuzzy Hash: ACF0E832A18B8186D7509B54F45428BBBA5F784784F604139EBCD83B18EF3DD154CB90

Function 00007FF78FD21485 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78FD21A47: GetCurrentProcess.KERNEL32 ref: 00007FF78FD21A64

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000800,00007FF78FD24000), ref: 00007FF78FD214F5
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000800,00007FF78FD24000), ref: 00007FF78FD2151E

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 509bbad2a067a9b033a74ceefe0ee967bd978527f9389b8c7367eb6b0545064b
Instruction ID: 46cbf44ed44267b9d9f17ddfb34008e7466c2a4cca09fd90c9546453f1a222fb
Opcode Fuzzy Hash: 509bbad2a067a9b033a74ceefe0ee967bd978527f9389b8c7367eb6b0545064b
Instruction Fuzzy Hash: 9C21B732609B8185E610AB65B8512AAA7D4FB897C4F648135EBCE43B55EE3CE002C7A0

Function 00007FF78FD219FB Relevance: 1.3, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF78FD21A16

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 18499add16e78753605d273a7ff3c60a1e52f63b3d8e7b04dec0ca4303b45796
Instruction ID: c580500518b6eaa927a7d2be818aedccc2a1f709d8842f4735812f06ce784849
Opcode Fuzzy Hash: 18499add16e78753605d273a7ff3c60a1e52f63b3d8e7b04dec0ca4303b45796
Instruction Fuzzy Hash: 98E03972A28A8083D311EF18E41024BBAB2F7C1304FB08036E78C42A19DA3ED5158F54

Function 00007FF78FD226B0 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF78FD226C2
GetModuleFileNameA.KERNEL32 ref: 00007FF78FD226D6
malloc.MSVCRT ref: 00007FF78FD22717

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: malloc$FileModuleName
String ID:
API String ID: 3634825322-0
Opcode ID: 7b8a38cfa6b20737cab9834afacbda3d58fe46a6f13e8b9e5d4355efd212f70a
Instruction ID: acef1f5c5ba0ea73b5e05810b6bdaa783b2b6278be1a256cbf9a9211514b098d
Opcode Fuzzy Hash: 7b8a38cfa6b20737cab9834afacbda3d58fe46a6f13e8b9e5d4355efd212f70a
Instruction Fuzzy Hash: 07117F22A0D2C294EA10BB126D615F9A650BB4ABD4FE44030EE8F1B74ADD3CF541C7F0

Function 000002598BC1012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 000002598BC10146

Strings

U.;, xrefs: 000002598BC10141

Memory Dump Source

Source File: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002598BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2598bc10000_6GUgc6JYS1.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: U.;
API String ID: 1984915467-4213443877
Opcode ID: 384db265c013720a470dfad14405f5eea7b7aafc50a111f5be8b2763f8998fcb
Instruction ID: 4f9bf8e4f7b99e64d8f3b51298df5a59bdd4bc75bbc049c58a0849504194dbeb
Opcode Fuzzy Hash: 384db265c013720a470dfad14405f5eea7b7aafc50a111f5be8b2763f8998fcb
Instruction Fuzzy Hash: A9119D6034890D1BF62C819E7C5A73A21CBE3C9766F28812FB50ED33D6DC68CC82401E

Function 00007FF78FD23A40 Relevance: 3.0, APIs: 2, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78FD226B0: malloc.MSVCRT ref: 00007FF78FD226C2
Part of subcall function 00007FF78FD226B0: GetModuleFileNameA.KERNEL32 ref: 00007FF78FD226D6
Part of subcall function 00007FF78FD226B0: malloc.MSVCRT ref: 00007FF78FD22717

GetCurrentProcess.KERNEL32(?,?,-00000008,00000001,00007FF78FD212EE,?,?,?,00007FF78FD213E6), ref: 00007FF78FD23A60
WaitForSingleObject.KERNEL32(?,?,-00000008,00000001,00007FF78FD212EE,?,?,?,00007FF78FD213E6), ref: 00007FF78FD23A6A

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: malloc$CurrentFileModuleNameObjectProcessSingleWait
String ID:
API String ID: 343681413-0
Opcode ID: 0d4f65f921a0c99844056602b24f84f8fb58204a15ad64bfb35a6985993a2c3f
Instruction ID: 34d6b31573877d7201d93c4d4d6cf66ebfd890ca7e1f48fee2816c147f7d2d5f
Opcode Fuzzy Hash: 0d4f65f921a0c99844056602b24f84f8fb58204a15ad64bfb35a6985993a2c3f
Instruction Fuzzy Hash: 67D09221E2929A80F914B726AC260EA96107F44781FA80436EE1F13392CD3CF552C2F0

Function 000002598BC1010C Relevance: 1.5, APIs: 1, Instructions: 31
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(00000003,00000003,00000002,00000001), ref: 000002598BC10127

Part of subcall function 000002598BC1012B: HttpOpenRequestA.WININET(00000000,00000000,84C03200,00000000), ref: 000002598BC10146

Memory Dump Source

Source File: 00000001.00000002.2742178189.000002598BC10000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002598BC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2598bc10000_6GUgc6JYS1.jbxd

Yara matches

Similarity

API ID: ConnectHttpInternetOpenRequest
String ID:
API String ID: 1341064763-0
Opcode ID: adf542c86c05be09c357181a1fd7fba9b155f5a54da9dc2df37151438df54562
Instruction ID: 60bec0bb32942330544e93a1e273d8111f6cc2b65c28bca7b70ff234f9228bcd
Opcode Fuzzy Hash: adf542c86c05be09c357181a1fd7fba9b155f5a54da9dc2df37151438df54562
Instruction Fuzzy Hash: 91E0D11227C6C15DE11D522C5D4F736699DDB43309F38077DE0C7D1293D99458024577

Non-executed Functions

Function 00007FF78FD22C20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF78FD22DAD
Unknown pseudo relocation protocol version %d., xrefs: 00007FF78FD22F70
Unknown pseudo relocation bit size %d., xrefs: 00007FF78FD22F64

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 9b607ef5e1d39ac516e2ca217b0ec8142e152364ff69139389c8b96fc812699c
Instruction ID: fa3f2ea5c81d345f344fb33e14850dbb201c87410632ee01f5c0d53d95ada4b7
Opcode Fuzzy Hash: 9b607ef5e1d39ac516e2ca217b0ec8142e152364ff69139389c8b96fc812699c
Instruction Fuzzy Hash: 1B91A032E1958282FA106B108C607F9A261BF54765FA48235EB7E177D8DE3CF802D2F0

Function 00007FF78FD22A40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FF78FD22B5B

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF78FD22A77
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF78FD22BF1
Address %p has no image-section, xrefs: 00007FF78FD22AB2, 00007FF78FD22C05
VirtualProtect failed with code 0x%x, xrefs: 00007FF78FD22BCE

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 8ece0e5689c32bf06535397255939f5c85717967dc5866581f01381cb6bfe8d1
Instruction ID: 92707a5b5d8f66def7a4aca31801c3186e81e8568dffe852626879ac9f49cc79
Opcode Fuzzy Hash: 8ece0e5689c32bf06535397255939f5c85717967dc5866581f01381cb6bfe8d1
Instruction Fuzzy Hash: 97518F72A09A8681EA10AB11EC606E9A760FB84B95FE44130EF5E07798DF3CF545C7F0

Function 00007FF78FD22930 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF78FD229B0

Strings

Unknown error, xrefs: 00007FF78FD22A1C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78FD22997

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 86f86d6f1fd49047498ccaa3b45f8d951f61e92dc91ddb43cd8bd9df1df07beb
Instruction ID: bed94dbf20b748c4125c5275f3009d9bf1ab5001304976c5ae958c037ea0d990
Opcode Fuzzy Hash: 86f86d6f1fd49047498ccaa3b45f8d951f61e92dc91ddb43cd8bd9df1df07beb
Instruction Fuzzy Hash: A3015E63D08EC582E6029F1898001BAB321FB5A759F659335EB8D26515DF39E582C7A0

Function 00007FF78FD22A00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF78FD229B0

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF78FD22A00
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78FD22997

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: b3d9e429b27ba28e2e026a2c9b98eac1c535cf286a48dd262e2791c23a66e309
Instruction ID: 73dc40a56b989dca42f147a3d37da5420a988cc0eadd1567f107ff819586b4bd
Opcode Fuzzy Hash: b3d9e429b27ba28e2e026a2c9b98eac1c535cf286a48dd262e2791c23a66e309
Instruction Fuzzy Hash: C1F04463C08E8581D2029F1C98101FBB360FB5D758F645335EB8E2A155DF28E582C7A0

Function 00007FF78FD22A10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF78FD229B0

Strings

Total loss of significance (TLOSS), xrefs: 00007FF78FD22A10
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78FD22997

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: ddb799f098da87b00ec340744236e459e3aea45df4fe3f2b56e8a1eed7c5b458
Instruction ID: ffe26b53e70295f687884b8e174413a31c376b06bee75721651869ddc95a3811
Opcode Fuzzy Hash: ddb799f098da87b00ec340744236e459e3aea45df4fe3f2b56e8a1eed7c5b458
Instruction Fuzzy Hash: B0F04463C08E8581D2029F1C98001FBB320FB5D758F645335EF8E26515DF28F582C7A0

Function 00007FF78FD229E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF78FD229B0

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF78FD229E0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78FD22997

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 16dd505da357011cff4d5dc29124268b26f012e1e5dc482f658140d9308e8692
Instruction ID: ca9982b095a02ac86b967b5e491a7362137901d3b4388748ec8c1ff09a15c554
Opcode Fuzzy Hash: 16dd505da357011cff4d5dc29124268b26f012e1e5dc482f658140d9308e8692
Instruction Fuzzy Hash: 87F04463C08E8581D2029F1C98101FBB320FB5D798F645335EF8E26155DF28E582C7A0

Function 00007FF78FD229F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF78FD229B0

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF78FD229F0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78FD22997

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 0a8ae8f4033385862a0396cdc020b2c4273462e3d6cfb5660cf053897133f514
Instruction ID: ff265ef99b31df54eb4b0bd668483d8a0aea49247a3be6e30bd6a264d80a49a6
Opcode Fuzzy Hash: 0a8ae8f4033385862a0396cdc020b2c4273462e3d6cfb5660cf053897133f514
Instruction Fuzzy Hash: FFF04463C08E8581D2029F1C98101FBB320FB5E759F645335EB8E26155DF28E582D7A0

Function 00007FF78FD229D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF78FD229B0

Strings

Argument domain error (DOMAIN), xrefs: 00007FF78FD229D0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78FD22997

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: b3d029248fb215c580629142f9baa88a6281556b66857b9c865bccdc7984895a
Instruction ID: 065cc3e01fc3a1b65bb8d7a207ac568e56f35f33130cba9545f4d088fb10f552
Opcode Fuzzy Hash: b3d029248fb215c580629142f9baa88a6281556b66857b9c865bccdc7984895a
Instruction Fuzzy Hash: FBF04463C08E8581D2029F1C98101FBB320FB5D758F645335EB8E26155DF28E582C7A0

Function 00007FF78FD22968 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF78FD229B0

Strings

Argument singularity (SIGN), xrefs: 00007FF78FD22968
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF78FD22997

Memory Dump Source

Source File: 00000001.00000002.2742517974.00007FF78FD21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78FD20000, based on PE: true

Associated: 00000001.00000002.2742498055.00007FF78FD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742542111.00007FF78FD24000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742564946.00007FF78FD25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD28000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742591932.00007FF78FD2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2742645005.00007FF78FD2E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff78fd20000_6GUgc6JYS1.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: c02743551f4fe489137f2efd61f1df1c261d2c0ea91ffeb14e0dc1eb3f61af91
Instruction ID: 1b16f62071a991b61d3b11ac4af73d0a6b60b196dfcb04ea06c0e0cc437cbe7b
Opcode Fuzzy Hash: c02743551f4fe489137f2efd61f1df1c261d2c0ea91ffeb14e0dc1eb3f61af91
Instruction Fuzzy Hash: 0BF01863D08E8581D2029F1C98001A7B321FB5E759F645335DF8D2A515DF29E582C790

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6GUgc6JYS1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Threatname: Metasploit

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6GUgc6JYS1.exe_14b8f6c7377787902fbdfdce8cfba71edc84f2_d9c5afb0_0b286928-5b74-4105-9195-d990964fe4a3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DF6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E94.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EC3.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
6GUgc6JYS1.exe

Function 00007FF78FD21180 Relevance: 10.6, APIs: 7, Instructions: 138
sleepstringCOMMON

Function 00007FF78FD21A47 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
COMMON

Function 00007FF78FD21485 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 00007FF78FD219FB Relevance: 1.3, Strings: 1, Instructions: 19
COMMON

Function 00007FF78FD226B0 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Function 000002598BC1012B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
networkCOMMON

Function 00007FF78FD23A40 Relevance: 3.0, APIs: 2, Instructions: 13
synchronizationCOMMON

Function 000002598BC1010C Relevance: 1.5, APIs: 1, Instructions: 31
networkCOMMON

Function 00007FF78FD22C20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232
COMMON

Function 00007FF78FD22A40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Function 00007FF78FD22930 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Function 00007FF78FD229E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00007FF78FD229F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00007FF78FD229D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON