Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: CobaltStrike {"C2Server": "http://101.78.63.44:None/UphQey", "User Agent": "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\n"} |
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; Touch)\r\n", "Type": "Metasploit Download", "URL": "http://101.78.63.44/UphQey"} |
Source: artifact.exe |
ReversingLabs: Detection: 91% |
Source: artifact.exe |
Virustotal: Detection: 81% |
Perma Link |
Source: artifact.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: Malware configuration extractor |
URLs: http://101.78.63.44:None/UphQey |
Source: Malware configuration extractor |
URLs: http://101.78.63.44/UphQey |
Source: Joe Sandbox View |
ASN Name: CHINATELECOM-CTCLOUDCloudComputingCorporationCN CHINATELECOM-CTCLOUDCloudComputingCorporationCN |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 101.78.63.44:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.78.63.44 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.78.63.44 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.78.63.44 |
Source: artifact.exe, 00000000.00000002.1705027660.00000000007F6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://101.78.63.44/ |
Source: artifact.exe, 00000000.00000002.1705027660.00000000007F6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://101.78.63.44/2 |
Source: artifact.exe, 00000000.00000002.1705027660.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://101.78.63.44/UphQey |
Source: artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://101.78.63.44/UphQeya |
Source: artifact.exe, 00000000.00000002.1705027660.00000000007AE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://101.78.63.44/UphQeyp |
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Shellcode_Generic_8c487e57 Author: unknown |
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown |
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown |
Source: C:\Users\user\Desktop\artifact.exe |
Code function: 0_2_001F00B5 |
0_2_001F00B5 |
Source: artifact.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Shellcode_Generic_8c487e57 os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Shellcode.Generic, fingerprint = 834caf96192a513aa93ac48fb8d2f3326bf9f08acaf7a27659f688b26e3e57e4, id = 8c487e57-4b8c-488e-a1d9-786ff935fd2c, last_modified = 2022-07-18 |
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23 |
Source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal100.troj.winEXE@1/0@0/1 |
Source: artifact.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\artifact.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: artifact.exe |
ReversingLabs: Detection: 91% |
Source: artifact.exe |
Virustotal: Detection: 81% |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe |
Code function: 0_2_00401949 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, |
0_2_00401949 |
Source: C:\Users\user\Desktop\artifact.exe TID: 6624 |
Thread sleep count: 35 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\artifact.exe TID: 6624 |
Thread sleep time: -350000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: artifact.exe, 00000000.00000002.1705027660.00000000007D7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWx |
Source: artifact.exe, 00000000.00000002.1705027660.0000000000805000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\artifact.exe |
Code function: 0_2_00401949 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, |
0_2_00401949 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\artifact.exe |
Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, |
0_2_00401180 |
Source: C:\Users\user\Desktop\artifact.exe |
Code function: 0_2_004028E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, |
0_2_004028E0 |
Source: C:\Users\user\Desktop\artifact.exe |
Code function: 0_2_00401648 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle, |
0_2_00401648 |
Source: C:\Users\user\Desktop\artifact.exe |
Code function: 0_2_00402810 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00402810 |
Source: Yara match |
File source: artifact.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.artifact.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.artifact.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.1704733475.00000000001F0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |