Edit tour
Windows
Analysis Report
Cv8saT11Ha.exe
Overview
General Information
| Sample name: | Cv8saT11Ha.exerenamed because original name is a hash value |
| Original sample name: | 4c4858e14a1c4a4646f87a4066ef76f0de5f676fcc7b9e35082032c6dca5f7c3.exe |
| Analysis ID: | 1640837 |
| MD5: | 435260381dfa8188ae946747c37c5a56 |
| SHA1: | efadb241de6c45c6ddf01b334a46392d459b24ce |
| SHA256: | 4c4858e14a1c4a4646f87a4066ef76f0de5f676fcc7b9e35082032c6dca5f7c3 |
| Tags: | 46-4-119-125exeuser-JAMESWT_MHT |
| Infos: |  |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Allocates memory in foreign processes
Compiles code for process injection (via .Net compiler)
Compiles code to access protected / encrypted code
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Silenttrinity Stager Msbuild Activity
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Suricata IDS alerts with low severity for network traffic
Classification
- System is w10x64
Cv8saT11Ha.exe (PID: 5568 cmdline: "C:\Users\ user\Deskt op\Cv8saT1 1Ha.exe" MD5: 435260381DFA8188AE946747C37C5A56) 
csc.exe (PID: 4772 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\zwfmjo hs\zwfmjoh s.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) 
conhost.exe (PID: 2488 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 5812 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESE2BC.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\zwf mjohs\CSCF 0F326422D0 7473686DDD 12E3DAF1AC 8.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - csc.exe (PID: 4704 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\d0kbsf t0\d0kbsft 0.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - conhost.exe (PID: 5676 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cvtres.exe (PID: 3220 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESB81.tmp " "c:\User s\user\App Data\Local \Temp\d0kb sft0\CSCD7 ED74F378CA 4D0F9E92AD 1E9CBB99EA .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
MSBuild.exe (PID: 7140 cmdline: C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\MS Build.exe MD5: 2EDD0B288FE2459DA84E4274D1942343)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Kiran kumar s, oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): | ||
| Source: | Author: frack113: | ||
Data Obfuscation | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-03-17T19:19:50.637302+0100 | 2019714 | 2 | Potentially Bad Traffic | 192.168.2.8 | 49682 | 147.45.44.68 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Binary or memory string: | memstr_99d4d30b-c | |
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||