Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FQElDjFG5t.exe

Overview

General Information

Sample Name:FQElDjFG5t.exe
Original Sample Name:6b44d99b258c275ee7fcf230da177f3e.exe
Analysis ID:1352543
MD5:6b44d99b258c275ee7fcf230da177f3e
SHA1:833a461f6d479d164b453cc9f5f51259d991b1b7
SHA256:1aecadf489a6dd7a3a6e5dfda9425673a9d04d38a5cb6b0b8f961536c11237ed
Tags:64exeSliver
Infos:

Detection

Sliver
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Sliver Implants
Potentially malicious time measurement code found
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers

Classification

  • System is w10x64
  • FQElDjFG5t.exe (PID: 616 cmdline: C:\Users\user\Desktop\FQElDjFG5t.exe MD5: 6B44D99B258C275EE7FCF230DA177F3E)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
SliverAccording to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
No configs have been found
SourceRuleDescriptionAuthorStrings
FQElDjFG5t.exeMulti_Trojan_Bishopsliver_42298c4aunknownunknown
  • 0xbe9a14:$a1: ).RequestResend
  • 0xbddf49:$a2: ).GetPrivInfo
FQElDjFG5t.exeINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
  • 0x95ded1:$s3: .WGTCPForwarder
  • 0x95e954:$s3: .WGTCPForwarder
  • 0x9602eb:$s3: .WGTCPForwarder
  • 0x960dc0:$s3: .WGTCPForwarder
  • 0x962f7c:$s3: .WGTCPForwarder
  • 0x963c38:$s3: .WGTCPForwarder
  • 0x95a8d0:$s6: .BackdoorReq
  • 0x95de2f:$s7: .ProcessDumpReq
  • 0x960108:$s8: .InvokeSpawnDllReq
  • 0x9563ff:$s9: .SpawnDll
  • 0x95aa08:$s9: .SpawnDll
SourceRuleDescriptionAuthorStrings
00000000.00000002.3280051062.000000C00010E000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
    00000000.00000002.3278823516.0000000000D88000.00000002.00000001.01000000.00000003.sdmpMulti_Trojan_Bishopsliver_42298c4aunknownunknown
    • 0x72c14:$a1: ).RequestResend
    • 0x67149:$a2: ).GetPrivInfo
    00000000.00000000.2020196596.0000000000D88000.00000002.00000001.01000000.00000003.sdmpMulti_Trojan_Bishopsliver_42298c4aunknownunknown
    • 0x72c14:$a1: ).RequestResend
    • 0x67149:$a2: ).GetPrivInfo
    Process Memory Space: FQElDjFG5t.exe PID: 616JoeSecurity_SliverYara detected Sliver ImplantsJoe Security
      Process Memory Space: FQElDjFG5t.exe PID: 616Multi_Trojan_Bishopsliver_42298c4aunknownunknown
      • 0x4b19b:$a1: ).RequestResend
      • 0x7fff1:$a1: ).RequestResend
      • 0x3f6d0:$a2: ).GetPrivInfo
      • 0x74b59:$a2: ).GetPrivInfo
      SourceRuleDescriptionAuthorStrings
      0.2.FQElDjFG5t.exe.210000.0.unpackMulti_Trojan_Bishopsliver_42298c4aunknownunknown
      • 0xbe9a14:$a1: ).RequestResend
      • 0xbddf49:$a2: ).GetPrivInfo
      0.2.FQElDjFG5t.exe.210000.0.unpackINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
      • 0x95ded1:$s3: .WGTCPForwarder
      • 0x95e954:$s3: .WGTCPForwarder
      • 0x9602eb:$s3: .WGTCPForwarder
      • 0x960dc0:$s3: .WGTCPForwarder
      • 0x962f7c:$s3: .WGTCPForwarder
      • 0x963c38:$s3: .WGTCPForwarder
      • 0x95a8d0:$s6: .BackdoorReq
      • 0x95de2f:$s7: .ProcessDumpReq
      • 0x960108:$s8: .InvokeSpawnDllReq
      • 0x9563ff:$s9: .SpawnDll
      • 0x95aa08:$s9: .SpawnDll
      0.0.FQElDjFG5t.exe.210000.0.unpackMulti_Trojan_Bishopsliver_42298c4aunknownunknown
      • 0xbe9a14:$a1: ).RequestResend
      • 0xbddf49:$a2: ).GetPrivInfo
      0.0.FQElDjFG5t.exe.210000.0.unpackINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
      • 0x95ded1:$s3: .WGTCPForwarder
      • 0x95e954:$s3: .WGTCPForwarder
      • 0x9602eb:$s3: .WGTCPForwarder
      • 0x960dc0:$s3: .WGTCPForwarder
      • 0x962f7c:$s3: .WGTCPForwarder
      • 0x963c38:$s3: .WGTCPForwarder
      • 0x95a8d0:$s6: .BackdoorReq
      • 0x95de2f:$s7: .ProcessDumpReq
      • 0x960108:$s8: .InvokeSpawnDllReq
      • 0x9563ff:$s9: .SpawnDll
      • 0x95aa08:$s9: .SpawnDll
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: FQElDjFG5t.exeReversingLabs: Detection: 50%
      Source: FQElDjFG5t.exeVirustotal: Detection: 59%Perma Link
      Source: FQElDjFG5t.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\FQElDjFG5t.exeCode function: 4x nop then mov rdi, 0000800000000000h0_2_00237120
      Source: C:\Users\user\Desktop\FQElDjFG5t.exeCode function: 4x nop then mov rsi, r90_2_00237EC0
      Source: global trafficTCP traffic: 192.168.2.5:49705 -> 94.198.53.143:8888
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: unknownTCP traffic detected without corresponding DNS query: 94.198.53.143
      Source: FQElDjFG5t.exe, 00000000.00000002.3280051062.000000C00016C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_4b7d096d-5

      System Summary