Edit tour
Windows
Analysis Report
mrkjKujfkP.exe
Overview
General Information
| Sample name: | mrkjKujfkP.exerenamed because original name is a hash value |
| Original sample name: | ec37b9184eb3457fff8057affeb6ffd5.exe |
| Analysis ID: | 1386666 |
| MD5: | ec37b9184eb3457fff8057affeb6ffd5 |
| SHA1: | 4c9c17d1874a44e9708976736620b75d033274de |
| SHA256: | 152e23b6a0f48147c40ceef6fb08f9702ff4da2fee7fbea4afe5c7c6b2cd35b0 |
| Tags: | exeStealc |
| Infos: |  |
 | |
Detection
Stealc
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Stealc
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
mrkjKujfkP.exe (PID: 2148 cmdline: C:\Users\u ser\Deskto p\mrkjKujf kP.exe MD5: EC37B9184EB3457FFF8057AFFEB6FFD5) 
conhost.exe (PID: 3092 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. | No Attribution |
{"C2 url": "http://91.206.178.118/31b57f88e9b186cd.php"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Stealc | Yara detected Stealc | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.591.206.178.11849705802044243 02/05/24-10:47:04.601026 |
| SID: | 2044243 |
| Source Port: | 49705 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_00D192E0 | |
| Source: | Code function: | 0_2_00D32520 | |
| Source: | Code function: | 0_2_00D1A620 | |
| Source: | Code function: | 0_2_00D1BB80 | |
| Source: | Code function: | 0_2_00D1BB20 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00CC934A | |
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | URLs: | ||
| Source: | HTTP traffic detected: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_00D192E0 | |
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Code function: | 0_2_00CC1290 | |
| Source: | Code function: | 0_2_00CC1000 | |
| Source: | Code function: | 0_2_00CD05B1 | |
| Source: | Code function: | 0_2_00CC2EA0 | |
| Source: | Code function: | 0_2_00D128E8 | |
| Source: | Code function: | 0_2_00D12CE8 | |
| Source: | Code function: | 0_2_00D130E8 | |
| Source: | Code function: | 0_2_00D134E8 | |
| Source: | Code function: | 0_2_00D129E8 | |
| Source: | Code function: | 0_2_00D12DE8 | |
| Source: | Code function: | 0_2_00D131E8 | |
| Source: | Code function: | 0_2_00D12AE8 | |
| Source: | Code function: | 0_2_00D12EE8 | |
| Source: | Code function: | 0_2_00D132E8 | |
| Source: | Code function: | 0_2_00D13630 | |
| Source: | Code function: | 0_2_00D127C0 | |
| Source: | Code function: | 0_2_00D12BE8 | |
| Source: | Code function: | 0_2_00D12FE8 | |
| Source: | Code function: | 0_2_00D133E8 | |
| Source: | Code function: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00CC1290 | |
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00CD1540 | |
| Source: | Code function: | 0_2_00CD0CD4 | |
| Source: | Code function: | 0_2_00D32EF0 | |
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-12212 | ||
| Source: | Evasive API call chain: | graph_0-10842 | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00CC934A | |
| Source: | Code function: | 0_2_00D300F0 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-12202 | ||
| Source: | API call chain: | graph_0-12218 | ||
| Source: | API call chain: | graph_0-12210 | ||
| Source: | API call chain: | graph_0-12225 | ||
| Source: | Code function: | 0_2_00CC70E3 | |
| Source: | Code function: | 0_2_00CC1290 | |
| Source: | Code function: | 0_2_00CC1290 | |
| Source: | Code function: | 0_2_00D32B80 | |
| Source: | Code function: | 0_2_00CCBA64 | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00CC70E3 | |
| Source: | Code function: | 0_2_00CC483A | |
| Source: | Code function: | 0_2_00CC46DE | |
| Source: | Code function: | 0_2_00CC4B33 | |
| Source: | Code function: | 0_2_00CC4945 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00CC45C5 | |
| Source: | Code function: | 0_2_00D110C0 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Native API | 1 DLL Side-Loading | 1 Process Injection | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Obfuscated Files or Information | NTDS | 1 Account Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 System Owner/User Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 123 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 33% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 9% | Virustotal | Browse | ||
| 9% | Virustotal | Browse | ||
| 13% | Virustotal | Browse |
⊘No contacted domains info
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 91.206.178.118 | unknown | Poland | 200088 | ARTNET2PL | true |
| Joe Sandbox version: | 39.0.0 Ruby |
| Analysis ID: | 1386666 |
| Start date and time: | 2024-02-05 10:46:10 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 2m 20s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | mrkjKujfkP.exerenamed because original name is a hash value |
| Original Sample Name: | ec37b9184eb3457fff8057affeb6ffd5.exe |
| Detection: | MAL |
| Classification: | mal92.troj.evad.winEXE@2/0@0/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 91.206.178.118 | Get hash | malicious | Stealc | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ARTNET2PL | Get hash | malicious | Stealc | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Vidar | Browse |
| ||
| Get hash | malicious | Maxtrilha | Browse |
| ||
| Get hash | malicious | Maxtrilha | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.888097857945214 |
| TrID: |
|
| File name: | mrkjKujfkP.exe |
| File size: | 310'272 bytes |
| MD5: | ec37b9184eb3457fff8057affeb6ffd5 |
| SHA1: | 4c9c17d1874a44e9708976736620b75d033274de |
| SHA256: | 152e23b6a0f48147c40ceef6fb08f9702ff4da2fee7fbea4afe5c7c6b2cd35b0 |
| SHA512: | 7506a0ce7484331833399aecec9741736ed03787f938b44641f42999684fa3c02a6bc21ec30c5c11e5fd7276e89430cad9d383cc4be6ea9cc0a469323d39b790 |
| SSDEEP: | 6144:tUMOLNJ5l10oVJ4C3CO2uWGcTATRsYQiANCpUxEJKWc+T5omu7Uk9NTeeqKuje/K:mxLt0K4C3CO2uWGcTATRsYQiANCpUsKw |
| TLSH: | B6646B20A6E4B561C003F4334F7DE9EFA73A6512A7166DFA09C607B0BED1E986B35704 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<j..o..A/..$.......u.*.uv.}.....t0...S...LHO~ ..QP.dl`G......<%e%.I. ..Q#....*b.....%...z.v..:a&.....N\.................PE..L.. |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x404318 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x65C0A2A6 [Mon Feb 5 08:56:06 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 382a4d7b99200ee7e9686d1f1cde0258 |
| Instruction |
|---|
| call 00007FAC6106A3BAh |
| jmp 00007FAC61069F39h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 00445360h |
| mov dword ptr [ecx], 00445308h |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007FAC6106A09Fh |
| push 0044A74Ch |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007FAC6106B189h |
| int3 |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007FAC61069570h |
| push 0044A66Ch |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007FAC6106B16Ch |
| int3 |
| push ebp |
| mov ebp, esp |
| mov eax, dword ptr [ebp+08h] |
| push esi |
| mov ecx, dword ptr [eax+3Ch] |
| add ecx, eax |
| movzx eax, word ptr [ecx+14h] |
| lea edx, dword ptr [ecx+18h] |
| add edx, eax |
| movzx eax, word ptr [ecx+06h] |
| imul esi, eax, 28h |
| add esi, edx |
| cmp edx, esi |
| je 00007FAC6106A0DBh |
| mov ecx, dword ptr [ebp+0Ch] |
| cmp ecx, dword ptr [edx+0Ch] |
| jc 00007FAC6106A0CCh |
| mov eax, dword ptr [edx+08h] |
| add eax, dword ptr [edx+0Ch] |
| cmp ecx, eax |
| jc 00007FAC6106A0CEh |
| add edx, 28h |
| cmp edx, esi |
| jne 00007FAC6106A0ACh |
| xor eax, eax |
| pop esi |
| pop ebp |
| ret |
| mov eax, edx |
| jmp 00007FAC6106A0BBh |
| push esi |
| call 00007FAC6106A820h |
| test eax, eax |
| je 00007FAC6106A0E2h |
| mov eax, dword ptr fs:[00000018h] |
| mov esi, 0044CA30h |
| mov edx, dword ptr [eax+04h] |
| jmp 00007FAC6106A0C6h |
| cmp edx, eax |
| je 00007FAC6106A0D2h |
| xor eax, eax |
| mov ecx, edx |
| lock cmpxchg dword ptr [esi], ecx |
| test eax, eax |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x4ad24 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x4e000 | 0x1030 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x49fb0 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x49ef0 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x12000 | 0x130 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xffd3 | 0x10000 | fb89902177544741f273b78d49fd5c1d | False | 0.605316162109375 | data | 6.610824596118242 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .1eKI8 | 0x11000 | 0x54b | 0x600 | 0f20743dbc3ff418db3d78aaf005bb6f | False | 0.7135416666666666 | data | 5.410549386593947 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x12000 | 0x393e2 | 0x39400 | 94acc79cda5eb42e4316a6ee370b8313 | False | 0.4073672898471616 | data | 6.59184787735665 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x4c000 | 0x146c | 0xc00 | fe5e59a519c227296e1ac96c8f8255ca | False | 0.16243489583333334 | data | 2.1644385139883653 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .reloc | 0x4e000 | 0x1030 | 0x1200 | 3af010183f1a572cf86319934d76d1a5 | False | 0.7098524305555556 | data | 6.223006267344559 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| KERNEL32.dll | VirtualProtect, GetModuleHandleA, GetProcAddress, VirtualAlloc, LoadLibraryA, lstrlenW, CreateThread, Sleep, WaitForSingleObject, FreeConsole, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, CompareStringW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.591.206.178.11849705802044243 02/05/24-10:47:04.601026 | TCP | 2044243 | ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in | 49705 | 80 | 192.168.2.5 | 91.206.178.118 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Feb 5, 2024 10:47:04.376053095 CET | 49705 | 80 | 192.168.2.5 | 91.206.178.118 |
| Feb 5, 2024 10:47:04.599847078 CET | 80 | 49705 | 91.206.178.118 | 192.168.2.5 |
| Feb 5, 2024 10:47:04.599977970 CET | 49705 | 80 | 192.168.2.5 | 91.206.178.118 |
| Feb 5, 2024 10:47:04.601026058 CET | 49705 | 80 | 192.168.2.5 | 91.206.178.118 |
| Feb 5, 2024 10:47:04.824857950 CET | 80 | 49705 | 91.206.178.118 | 192.168.2.5 |
| Feb 5, 2024 10:47:04.829705000 CET | 80 | 49705 | 91.206.178.118 | 192.168.2.5 |
| Feb 5, 2024 10:47:04.829773903 CET | 49705 | 80 | 192.168.2.5 | 91.206.178.118 |
| Feb 5, 2024 10:47:06.493103027 CET | 49705 | 80 | 192.168.2.5 | 91.206.178.118 |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.5 | 49705 | 91.206.178.118 | 80 | 2148 | C:\Users\user\Desktop\mrkjKujfkP.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Feb 5, 2024 10:47:04.601026058 CET | 410 | OUT | |
| Feb 5, 2024 10:47:04.829705000 CET | 178 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 10:47:02 |
| Start date: | 05/02/2024 |
| Path: | C:\Users\user\Desktop\mrkjKujfkP.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xcc0000 |
| File size: | 310'272 bytes |
| MD5 hash: | EC37B9184EB3457FFF8057AFFEB6FFD5 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 10:47:03 |
| Start date: | 05/02/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6d64d0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |