Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cb523jmji0.exe

Overview

General Information

Sample name:Cb523jmji0.exe
renamed because original name is a hash value
Original sample name:3babce4f85902c7bcfde22e222508c4e.exe
Analysis ID:1629799
MD5:3babce4f85902c7bcfde22e222508c4e
SHA1:4898ae5c075322b47ab2f512b5463ee6116d98f7
SHA256:06b678b55cb81e6999b25903def2ac02336dc6c9ff3cd6afdaafffd55e2e5302
Tags:exeuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Uses the Telegram API (likely for C&C communication)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Cb523jmji0.exe (PID: 7612 cmdline: "C:\Users\user\Desktop\Cb523jmji0.exe" MD5: 3BABCE4F85902C7BCFDE22E222508C4E)
    • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Cb523jmji0.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Cb523jmji0.exeVirustotal: Detection: 65%Perma Link
Source: Cb523jmji0.exeReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703BEAC0 BCryptGenRandom,0_2_00007FF6703BEAC0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703BEC80 BCryptGenRandom,0_2_00007FF6703BEC80
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703E7410 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,0_2_00007FF6703E7410
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703ED4F0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF6703ED4F0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703BF8D0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF6703BF8D0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703EFE00 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF6703EFE00
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703E6AD0 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateContext,0_2_00007FF6703E6AD0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703EEDB0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,0_2_00007FF6703EEDB0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703EEE30 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF6703EEE30
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703EEEC0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF6703EEEC0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703ECEE0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,0_2_00007FF6703ECEE0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703E6EF0 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,0_2_00007FF6703E6EF0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703ECF60 CryptHashData,0_2_00007FF6703ECF60
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703ECF70 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF6703ECF70
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00007FF6703A1060
Source: Cb523jmji0.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: mov dword ptr [rbp+04h], 424D53FFh0_2_00007FF6703D46A0
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: Cb523jmji0.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\users\Administrator\Desktop\crypter\crypter\x64\Release\crypter.pdb source: Cb523jmji0.exe

Networking

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703DFDB0 recv,WSAGetLastError,0_2_00007FF6703DFDB0
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: Cb523jmji0.exeString found in binary or memory: https://api.telegram.org/bot
Source: Cb523jmji0.exeString found in binary or memory: https://api.telegram.org/botokresultfile_path/https://api.telegram.org/file/bot8193153557:AAHX0oj36X
Source: Cb523jmji0.exeString found in binary or memory: https://api.telegram.org/file/bot
Source: Cb523jmji0.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Cb523jmji0.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: Cb523jmji0.exeString found in binary or memory: https://curl.se/docs/hsts.html
Source: Cb523jmji0.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: Cb523jmji0.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Cb523jmji0.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703ED4F0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF6703ED4F0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703913220_2_00007FF670391322
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703DF8E00_2_00007FF6703DF8E0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703ABA500_2_00007FF6703ABA50
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703A4A700_2_00007FF6703A4A70
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670398B600_2_00007FF670398B60
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704111A00_2_00007FF6704111A0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704132080_2_00007FF670413208
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67040F3780_2_00007FF67040F378
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704273980_2_00007FF670427398
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703A55100_2_00007FF6703A5510
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704194D80_2_00007FF6704194D8
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703ED4F00_2_00007FF6703ED4F0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704116A80_2_00007FF6704116A8
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703ED7600_2_00007FF6703ED760
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703C19C00_2_00007FF6703C19C0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670399A900_2_00007FF670399A90
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67041DA700_2_00007FF67041DA70
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703EFD900_2_00007FF6703EFD90
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670397E010_2_00007FF670397E01
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703EFE000_2_00007FF6703EFE00
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703B3E600_2_00007FF6703B3E60
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670415EDA0_2_00007FF670415EDA
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703F9F400_2_00007FF6703F9F40
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703D00B00_2_00007FF6703D00B0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703F63D10_2_00007FF6703F63D1
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703AE4B00_2_00007FF6703AE4B0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67042249C0_2_00007FF67042249C
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703D85000_2_00007FF6703D8500
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67041A5140_2_00007FF67041A514
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704185740_2_00007FF670418574
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67041C77C0_2_00007FF67041C77C
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704107540_2_00007FF670410754
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703E07C00_2_00007FF6703E07C0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703AE8B00_2_00007FF6703AE8B0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703B68B00_2_00007FF6703B68B0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704229300_2_00007FF670422930
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703A68C00_2_00007FF6703A68C0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67040C8F40_2_00007FF67040C8F4
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704109580_2_00007FF670410958
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703FE9D00_2_00007FF6703FE9D0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703C2AF00_2_00007FF6703C2AF0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670412B480_2_00007FF670412B48
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670410B5C0_2_00007FF670410B5C
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703FCC000_2_00007FF6703FCC00
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67040ED300_2_00007FF67040ED30
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67040CE000_2_00007FF67040CE00
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670424E8C0_2_00007FF670424E8C
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703BAEB00_2_00007FF6703BAEB0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670422FB00_2_00007FF670422FB0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67042D00C0_2_00007FF67042D00C
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703B10400_2_00007FF6703B1040
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703F50600_2_00007FF6703F5060
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703FD1300_2_00007FF6703FD130
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF67042711C0_2_00007FF67042711C
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6704087B0 appears 47 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6703A8CE0 appears 44 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6703A8C40 appears 328 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6703ADDB0 appears 38 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6703AE420 appears 33 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF670393310 appears 48 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6703A8B50 appears 408 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6703B04F0 appears 52 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6703ADE20 appears 76 times
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: String function: 00007FF6703B05C0 appears 34 times
Source: Cb523jmji0.exeBinary or memory string: OriginalFilename vs Cb523jmji0.exe
Source: Cb523jmji0.exe, 00000000.00000002.1416711642.00007FF670463000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUnreal Console Host< vs Cb523jmji0.exe
Source: Cb523jmji0.exeBinary or memory string: OriginalFilenameUnreal Console Host< vs Cb523jmji0.exe
Source: classification engineClassification label: mal60.troj.winEXE@2/0@1/2
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: Cb523jmji0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Cb523jmji0.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Cb523jmji0.exeVirustotal: Detection: 65%
Source: Cb523jmji0.exeReversingLabs: Detection: 55%
Source: Cb523jmji0.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: unknownProcess created: C:\Users\user\Desktop\Cb523jmji0.exe "C:\Users\user\Desktop\Cb523jmji0.exe"
Source: C:\Users\user\Desktop\Cb523jmji0.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Cb523jmji0.exeSection loaded: schannel.dllJump to behavior
Source: Cb523jmji0.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Cb523jmji0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Cb523jmji0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Cb523jmji0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Cb523jmji0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Cb523jmji0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Cb523jmji0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Cb523jmji0.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Cb523jmji0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\users\Administrator\Desktop\crypter\crypter\x64\Release\crypter.pdb source: Cb523jmji0.exe
Source: Cb523jmji0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Cb523jmji0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Cb523jmji0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Cb523jmji0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Cb523jmji0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703AB860 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,0_2_00007FF6703AB860
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703BC55F push rsp; ret 0_2_00007FF6703BC565
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703CCBD2 push rbx; retf 0003h0_2_00007FF6703CCBE1
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703CCBE4 push rbx; retf 0_2_00007FF6703CCBE9
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703BCC8A push rdi; retf 0002h0_2_00007FF6703BCC8D
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703BCD1E push rdi; retf 0_2_00007FF6703BCD25
Source: C:\Users\user\Desktop\Cb523jmji0.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-70290
Source: C:\Users\user\Desktop\Cb523jmji0.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-69767
Source: Cb523jmji0.exe, 00000000.00000003.1415744456.000002A506492000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704016C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6704016C0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703AB860 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,0_2_00007FF6703AB860
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704016C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6704016C0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670401864 SetUnhandledExceptionFilter,0_2_00007FF670401864
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704068A8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6704068A8
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670400A50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF670400A50
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF67042B450
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: EnumSystemLocalesW,0_2_00007FF67042B7AC
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: EnumSystemLocalesW,0_2_00007FF67042B87C
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF67042BCB4
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF67042BE98
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: EnumSystemLocalesW,0_2_00007FF6704207F0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: GetLocaleInfoW,0_2_00007FF670420D88
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6704015B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6704015B0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF670427398 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF670427398
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703BE0E0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,0_2_00007FF6703BE0E0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703DF2C0 htons,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,0_2_00007FF6703DF2C0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703D00B0 getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,0_2_00007FF6703D00B0
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703C4859 bind,WSAGetLastError,0_2_00007FF6703C4859
Source: C:\Users\user\Desktop\Cb523jmji0.exeCode function: 0_2_00007FF6703C4AD0 bind,WSAGetLastError,0_2_00007FF6703C4AD0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping2
System Time Discovery		1
Exploitation of Remote Services		12
Archive Collected Data		1
Web Service		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media22
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsInternet Connection DiscoverySSHKeylogging2
Application Layer Protocol		Scheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Cb523jmji0.exe65%VirustotalBrowse
Cb523jmji0.exe55%ReversingLabsWin64.Trojan.Amadey
Cb523jmji0.exe100%AviraTR/Dldr.Agent.tizjt

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.telegram.org
149.154.167.220
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://curl.se/docs/hsts.htmlCb523jmji0.exefalse
      		high
      https://curl.se/docs/alt-svc.html#Cb523jmji0.exefalse
        		high
        https://curl.se/docs/http-cookies.html#Cb523jmji0.exefalse
          		high
          https://api.telegram.org/file/botCb523jmji0.exefalse
            		high
            https://curl.se/docs/alt-svc.htmlCb523jmji0.exefalse
              		high
              https://api.telegram.org/botCb523jmji0.exefalse
                		high
                https://curl.se/docs/http-cookies.htmlCb523jmji0.exefalse
                  		high
                  https://curl.se/docs/hsts.html#Cb523jmji0.exefalse
                    		high
                    https://api.telegram.org/botokresultfile_path/https://api.telegram.org/file/bot8193153557:AAHX0oj36XCb523jmji0.exefalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      149.154.167.220
                      		api.telegram.orgUnited Kingdom
                      		62041TELEGRAMRUfalse

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1629799
                      Start date and time:2025-03-05 08:05:35 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 2m 57s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:3
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Cb523jmji0.exe
                      renamed because original name is a hash value
                      Original Sample Name:3babce4f85902c7bcfde22e222508c4e.exe
                      Detection:MAL
                      Classification:mal60.troj.winEXE@2/0@1/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 96%
                      • Number of executed functions: 66
                      • Number of non-executed functions: 157
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe
                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                      • Not all processes where analyzed, report is missing behavior information

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      149.154.167.220delivery894639203.htmlGet hashmaliciousHTMLPhisherBrowse
                        SfbAu0ICZn.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          jjohnson@bagtoearth.com-Paymentreceipt.htmGet hashmaliciousHTMLPhisherBrowse
                            rarrivalnotice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              50% deposit's payment advice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                rPurchaseOrder-25-1201.exeGet hashmaliciousSnake KeyloggerBrowse
                                  Verger Doc.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    2raqmphRKT.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog StealerBrowse
                                      Payment_Advice.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        HSBC_USD31,073.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          api.telegram.orgdelivery894639203.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 149.154.167.220
                                          SfbAu0ICZn.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 149.154.167.220
                                          jjohnson@bagtoearth.com-Paymentreceipt.htmGet hashmaliciousHTMLPhisherBrowse
                                          • 149.154.167.220
                                          rarrivalnotice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          50% deposit's payment advice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          AI_25_46416_418811192810.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 149.154.167.220
                                          rPurchaseOrder-25-1201.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 149.154.167.220
                                          Verger Doc.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          Payment_Advice.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 149.154.167.220
                                          HSBC_USD31,073.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 149.154.167.220

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          TELEGRAMRUdelivery894639203.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 149.154.167.220
                                          SfbAu0ICZn.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 149.154.167.220
                                          Yanto v1.2.exeGet hashmaliciousLummaC StealerBrowse
                                          • 149.154.167.99
                                          jjohnson@bagtoearth.com-Paymentreceipt.htmGet hashmaliciousHTMLPhisherBrowse
                                          • 149.154.167.220
                                          rarrivalnotice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          50% deposit's payment advice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          rPurchaseOrder-25-1201.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 149.154.167.220
                                          Verger Doc.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          2raqmphRKT.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog StealerBrowse
                                          • 149.154.167.220
                                          Payment_Advice.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 149.154.167.220

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          bd0bf25947d4a37404f0424edf4db9adleFhB1aYaW.exeGet hashmaliciousDCRatBrowse
                                          • 149.154.167.220
                                          Loader.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          1.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          setup.msiGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          5bf784.msiGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          34.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          11.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          BundleInstaller.dll.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          SecuriteInfo.com.Win64.Trojan.Agent.SPKBLR.21082.13583.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          thIrHnhL2S.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:PE32+ executable (console) x86-64, for MS Windows
                                          Entropy (8bit):6.4280736982462265
                                          TrID:
                                          • Win64 Executable Console (202006/5) 92.65%
                                          • Win64 Executable (generic) (12005/4) 5.51%
                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                          • DOS Executable Generic (2002/1) 0.92%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:Cb523jmji0.exe
                                          File size:931'328 bytes
                                          MD5:3babce4f85902c7bcfde22e222508c4e
                                          SHA1:4898ae5c075322b47ab2f512b5463ee6116d98f7
                                          SHA256:06b678b55cb81e6999b25903def2ac02336dc6c9ff3cd6afdaafffd55e2e5302
                                          SHA512:f8687729c8931579f8120f6451f669726f115123c10a7c5ce6d9a24746940153efcf7e33b719e8f543f9b4316db485633272943f462bf948b4044f234795d629
                                          SSDEEP:24576:9lBq4/QlK9/CqNzb5lgV6tZVPKilGRl1D:9lBj/V6QtGily
                                          TLSH:BD157B5A63E828E5D1779138C7775383D7B6B8161320D6DF02E086663F276E27E3A390
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m...m...m...&...a...&.......&...q...|E@.j...|E..g...|E......|E..8...&...|...m.......t...n...t........E..l....EB.l...m.*.l..

                                          File Icon

                                          Icon Hash:0d35784d5b5b4531

                                          Static PE Info

                                          General

                                          Entrypoint:0x1400709c0
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x140000000
                                          Subsystem:windows cui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x67C42E75 [Sun Mar 2 10:09:57 2025 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:6
                                          OS Version Minor:0
                                          File Version Major:6
                                          File Version Minor:0
                                          Subsystem Version Major:6
                                          Subsystem Version Minor:0
                                          Import Hash:cfca4a34c112c1814d56edc0be75de3a

                                          Entrypoint Preview

                                          Instruction
                                          dec eax
                                          sub esp, 28h
                                          call 00007FDFB8D760ACh
                                          dec eax
                                          add esp, 28h
                                          jmp 00007FDFB8D75337h
                                          int3
                                          int3
                                          dec eax
                                          sub esp, 28h
                                          dec ebp
                                          mov eax, dword ptr [ecx+38h]
                                          dec eax
                                          mov ecx, edx
                                          dec ecx
                                          mov edx, ecx
                                          call 00007FDFB8D754D2h
                                          mov eax, 00000001h
                                          dec eax
                                          add esp, 28h
                                          ret
                                          int3
                                          int3
                                          int3
                                          inc eax
                                          push ebx
                                          inc ebp
                                          mov ebx, dword ptr [eax]
                                          dec eax
                                          mov ebx, edx
                                          inc ecx
                                          and ebx, FFFFFFF8h
                                          dec esp
                                          mov ecx, ecx
                                          inc ecx
                                          test byte ptr [eax], 00000004h
                                          dec esp
                                          mov edx, ecx
                                          je 00007FDFB8D754D5h
                                          inc ecx
                                          mov eax, dword ptr [eax+08h]
                                          dec ebp
                                          arpl word ptr [eax+04h], dx
                                          neg eax
                                          dec esp
                                          add edx, ecx
                                          dec eax
                                          arpl ax, cx
                                          dec esp
                                          and edx, ecx
                                          dec ecx
                                          arpl bx, ax
                                          dec edx
                                          mov edx, dword ptr [eax+edx]
                                          dec eax
                                          mov eax, dword ptr [ebx+10h]
                                          mov ecx, dword ptr [eax+08h]
                                          dec eax
                                          mov eax, dword ptr [ebx+08h]
                                          test byte ptr [ecx+eax+03h], 0000000Fh
                                          je 00007FDFB8D754CDh
                                          movzx eax, byte ptr [ecx+eax+03h]
                                          and eax, FFFFFFF0h
                                          dec esp
                                          add ecx, eax
                                          dec esp
                                          xor ecx, edx
                                          dec ecx
                                          mov ecx, ecx
                                          pop ebx
                                          jmp 00007FDFB8D75136h
                                          int3
                                          inc eax
                                          push ebx
                                          dec eax
                                          sub esp, 20h
                                          dec eax
                                          mov ebx, ecx
                                          xor ecx, ecx
                                          call dword ptr [000329AFh]
                                          dec eax
                                          mov ecx, ebx
                                          call dword ptr [0003299Eh]
                                          call dword ptr [000329A8h]
                                          dec eax
                                          mov ecx, eax
                                          mov edx, C0000409h
                                          dec eax
                                          add esp, 20h
                                          pop ebx
                                          dec eax
                                          jmp dword ptr [0003299Ch]
                                          dec eax
                                          mov dword ptr [esp+00h], ecx

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xcd1ac0xb4.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xdb0000xb8b8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0xd30000x7adc.pdata
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe70000x10a0.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xc23800x70.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0xc25800x28.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc22400x140.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0xa30000x690.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000xa17f40xa1800e3e6ddb2bdcda0f0fc2c7d101e49b52fFalse0.5467011537345201data6.438684552464703IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0xa30000x2b5880x2b600ed10e9b3054678cfa05248974292de25False0.4128636077089337data5.588535169555013IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xcf0000x33280x1c00228b18e03f2261837a64219ebbe98b80False0.17243303571428573data3.2196114885132823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .pdata0xd30000x7adc0x7c00efba14f94c2015f75219dd1bb212f61eFalse0.48541456653225806data5.889107770612065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0xdb0000xb8b80xba002b301b26248e6505006540ae4ee476c8False0.17800739247311828data3.8917886492640217IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xe70000x10a00x1200987e9c2e166aa7ab4284815ed94d80b3False0.4233940972222222data5.282973197899523IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xdb2b00xb13PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8867724867724868
                                          RT_ICON0xdbdc80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.10341151385927505
                                          RT_ICON0xdcc700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.12229241877256318
                                          RT_ICON0xdd5180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.11416184971098266
                                          RT_ICON0xdda800xc4aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9164017800381437
                                          RT_ICON0xde6d00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.03672649976381672
                                          RT_ICON0xe28f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.04854771784232365
                                          RT_ICON0xe4ea00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.0698874296435272
                                          RT_ICON0xe5f480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.1400709219858156
                                          RT_GROUP_ICON0xe63b00x84dataEnglishUnited States0.6590909090909091
                                          RT_VERSION0xe64380x2fcdataEnglishUnited States0.4816753926701571
                                          RT_MANIFEST0xe67380x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                          Imports

                                          DLLImport
                                          KERNEL32.dllGetFileType, ReadFile, PeekNamedPipe, WaitForMultipleObjects, GetCurrentProcessId, SleepEx, VerSetConditionMask, VerifyVersionInfoW, CreateFileA, GetFileSizeEx, WriteConsoleW, HeapSize, DeleteFileW, GetStdHandle, GetEnvironmentVariableA, WaitForSingleObjectEx, CloseHandle, MoveFileExA, FormatMessageW, SetLastError, GetLastError, WideCharToMultiByte, MultiByteToWideChar, GetProcessHeap, Sleep, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFullPathNameW, GetCurrentDirectoryW, SetEndOfFile, SetStdHandle, GetFileAttributesExW, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, HeapReAlloc, HeapFree, HeapAlloc, LoadLibraryA, GetProcAddress, GetModuleHandleA, FreeLibrary, GetSystemDirectoryA, QueryPerformanceFrequency, DeleteCriticalSection, InitializeCriticalSectionEx, LeaveCriticalSection, EnterCriticalSection, GetTickCount, QueryPerformanceCounter, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetConsoleWindow, SetEnvironmentVariableW, VirtualAlloc, GetConsoleOutputCP, ReadConsoleW, GetConsoleMode, GetCommandLineW, GetCommandLineA, ExitProcess, GetModuleFileNameW, RtlUnwind, WriteFile, SetFilePointerEx, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetFileInformationByHandle, GetDriveTypeW, CreateFileW, LoadLibraryExW, TlsFree, TlsSetValue, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, WakeAllConditionVariable, SleepConditionVariableSRW, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue
                                          USER32.dllShowWindow
                                          ADVAPI32.dllCryptAcquireContextA, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, CryptEncrypt, CryptReleaseContext, CryptGetHashParam
                                          WS2_32.dllgetpeername, sendto, recvfrom, freeaddrinfo, ioctlsocket, gethostname, recv, listen, htonl, getsockname, connect, bind, accept, select, __WSAFDIsSet, socket, htons, WSAIoctl, setsockopt, WSACleanup, WSAStartup, WSASetLastError, ntohs, WSAGetLastError, closesocket, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, send, getsockopt, getaddrinfo
                                          CRYPT32.dllCryptStringToBinaryA, CertFreeCertificateContext, CryptDecodeObjectEx, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CertAddCertificateContextToStore, PFXImportCertStore, CertFindExtension, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFindCertificateInStore, CertFreeCertificateChain
                                          WLDAP32.dll
                                          Normaliz.dllIdnToUnicode, IdnToAscii
                                          bcrypt.dllBCryptGenRandom

                                          Version Infos

                                          DescriptionData
                                          CompanyNameEpic Games Studio
                                          FileDescriptionEpic Game Studio Console Host
                                          FileVersion1.2.9.0
                                          InternalNameEpic Studios
                                          LegalCopyrightCopyright (C) 2025
                                          OriginalFilenameUnreal Console Host
                                          ProductNameUNREAL ENGINE
                                          ProductVersion1.2.6.3
                                          Translation0x0409 0x04b0

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 5, 2025 08:06:47.624560118 CET49709443192.168.2.7149.154.167.220
                                          Mar 5, 2025 08:06:47.624589920 CET44349709149.154.167.220192.168.2.7
                                          Mar 5, 2025 08:06:47.624660969 CET49709443192.168.2.7149.154.167.220
                                          Mar 5, 2025 08:06:47.655558109 CET49709443192.168.2.7149.154.167.220
                                          Mar 5, 2025 08:06:47.655575991 CET44349709149.154.167.220192.168.2.7
                                          Mar 5, 2025 08:06:48.296828032 CET44349709149.154.167.220192.168.2.7
                                          Mar 5, 2025 08:06:48.296977043 CET49709443192.168.2.7149.154.167.220
                                          Mar 5, 2025 08:06:48.872028112 CET49709443192.168.2.7149.154.167.220
                                          Mar 5, 2025 08:06:48.872051001 CET44349709149.154.167.220192.168.2.7
                                          Mar 5, 2025 08:06:48.872314930 CET44349709149.154.167.220192.168.2.7
                                          Mar 5, 2025 08:06:48.872381926 CET49709443192.168.2.7149.154.167.220
                                          Mar 5, 2025 08:06:48.874644041 CET49709443192.168.2.7149.154.167.220
                                          Mar 5, 2025 08:06:48.874656916 CET44349709149.154.167.220192.168.2.7

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 5, 2025 08:06:47.611347914 CET5577453192.168.2.71.1.1.1
                                          Mar 5, 2025 08:06:47.618541002 CET53557741.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Mar 5, 2025 08:06:47.611347914 CET192.168.2.71.1.1.10x8c53Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Mar 5, 2025 08:06:47.618541002 CET1.1.1.1192.168.2.70x8c53No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:02:06:46
                                          Start date:05/03/2025
                                          Path:C:\Users\user\Desktop\Cb523jmji0.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\Cb523jmji0.exe"
                                          Imagebase:0x7ff670390000
                                          File size:931'328 bytes
                                          MD5 hash:3BABCE4F85902C7BCFDE22E222508C4E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:02:06:46
                                          Start date:05/03/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff75da10000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >