Play interactive tour

Edit tour

Windows Analysis Report 3fVvJyTvQU

Overview

General Information

Sample Name:	3fVvJyTvQU (renamed file extension from none to exe)
Analysis ID:	458975
MD5:	4003498f5c38cf05a71125d4e8745791
SHA1:	5bf2e49a13c64f3f65c0b8ef8a61f8202cde5359
SHA256:	ad5711a5bdcd7c6334389a2ed722e16e774d8f55737e85f57c71ec3e1767c63b
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Creates processes via WMI

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

3fVvJyTvQU.exe (PID: 5440 cmdline: 'C:\Users\user\Desktop\3fVvJyTvQU.exe' MD5: 4003498F5C38CF05A71125D4E8745791)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

3fVvJyTvQU.exe (PID: 5956 cmdline: 'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a MD5: 4003498F5C38CF05A71125D4E8745791)

conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: google.vrthcobj.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\sqlite.dll

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 3fVvJyTvQU.exe	Virustotal: Detection: 31%			Perma Link
Source: 3fVvJyTvQU.exe	ReversingLabs: Detection: 48%

Source: 3fVvJyTvQU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49712 version: TLS 1.2

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: 3fVvJyTvQU.exe, 00000003.00000003.214893639.0000000000640000.00000004.00000001.sdmp, sqlite.dll.3.dr

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1948 DNS zone transfer UDP 192.168.2.3:57569 -> 34.97.69.225:53

Source: Joe Sandbox View

IP Address: 172.67.146.70 172.67.146.70

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: a.goatgame.co

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_004048ED

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD

Source: 3fVvJyTvQU.exe, 00000000.00000000.199853055.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000000.00000002.203152076.0000000002300000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000000.00000002.203209704.0000000002360000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000000.00000002.203209704.0000000002360000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216402889.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216710496.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000003.214893639.0000000000640000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216651961.0000000002080000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216658689.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216698116.00000000021B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216702455.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs 3fVvJyTvQU.exe

Source: 3fVvJyTvQU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.winEXE@5/2@3/1

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dat

Jump to behavior

Source: 3fVvJyTvQU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 3fVvJyTvQU.exe	Virustotal: Detection: 31%
Source: 3fVvJyTvQU.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

File read: C:\Users\user\Desktop\3fVvJyTvQU.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3fVvJyTvQU.exe 'C:\Users\user\Desktop\3fVvJyTvQU.exe'
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Process created: C:\Users\user\Desktop\3fVvJyTvQU.exe 'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Process created: C:\Users\user\Desktop\3fVvJyTvQU.exe 'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: 3fVvJyTvQU.exe, 00000003.00000003.214893639.0000000000640000.00000004.00000001.sdmp, sqlite.dll.3.dr

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_00406590 push eax; ret

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe TID: 5328	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe TID: 5888	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Code function: 0_2_004053C2 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Code function: 0_2_004053B0 SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Process created: C:\Users\user\Desktop\3fVvJyTvQU.exe 'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_0040267E EntryPoint,GetVersion,GetCommandLineA,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3fVvJyTvQU.exe	32%	Virustotal		Browse
3fVvJyTvQU.exe	48%	ReversingLabs	Win32.Trojan.Sabsik

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	14%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\sqlite.dll	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
google.vrthcobj.com	8%	Virustotal		Browse
a.goatgame.co	2%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.vrthcobj.com	34.97.69.225	true	true	8%, Virustotal, Browse	unknown
a.goatgame.co	172.67.146.70	true	false	2%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.146.70	a.goatgame.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458975
Start date:	03.08.2021
Start time:	23:41:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 59s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	3fVvJyTvQU (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.winEXE@5/2@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 93.6%) Quality average: 79.3% Quality standard deviation: 29%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.139.144, 40.88.32.150 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:42:11	API Interceptor	4x Sleep call for process: 3fVvJyTvQU.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.146.70	TMB1fxNaqR.exe	Get hash	malicious	Browse
	LRios3pM39.exe	Get hash	malicious	Browse
	85d8c.exe	Get hash	malicious	Browse
	QfVER41Fwx.exe	Get hash	malicious	Browse
	O3h9kRdG7d.exe	Get hash	malicious	Browse
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse
	U7HCBc2SVy.exe	Get hash	malicious	Browse
	76xAf6BYg8.exe	Get hash	malicious	Browse
	E4lwAiXNCE.exe	Get hash	malicious	Browse
	pLF8TJmHlD.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
google.vrthcobj.com	TMB1fxNaqR.exe	Get hash	malicious	Browse	34.97.69.225
	LRios3pM39.exe	Get hash	malicious	Browse	34.97.69.225
	85d8c.exe	Get hash	malicious	Browse	34.97.69.225
	QfVER41Fwx.exe	Get hash	malicious	Browse	34.97.69.225
	93ejLcdBh5.exe	Get hash	malicious	Browse	34.97.69.225
	k2VFD3gNGE.exe	Get hash	malicious	Browse	34.97.69.225
	MIN56KgzBN.exe	Get hash	malicious	Browse	34.97.69.225
	U7HCBc2SVy.exe	Get hash	malicious	Browse	34.97.69.225
	TIoFSlDlv6.exe	Get hash	malicious	Browse	34.97.69.225
	76xAf6BYg8.exe	Get hash	malicious	Browse	34.97.69.225
	E4lwAiXNCE.exe	Get hash	malicious	Browse	34.97.69.225
	pLF8TJmHlD.exe	Get hash	malicious	Browse	34.97.69.225
	sonia_6.exe	Get hash	malicious	Browse	34.97.69.225
	5H4iRfY1ek.exe	Get hash	malicious	Browse	34.97.69.225
	Copy.exe	Get hash	malicious	Browse	34.97.69.225
	pMVkvSyeIy.exe	Get hash	malicious	Browse	34.97.69.225
	w7pR0EOMwd.exe	Get hash	malicious	Browse	34.97.69.225
	BoLQVCmIZB.exe	Get hash	malicious	Browse	34.97.69.225
	DhWFvSKvSb.exe	Get hash	malicious	Browse	34.97.69.225
	U2HHCJvDj4.exe	Get hash	malicious	Browse	34.97.69.225
a.goatgame.co	TMB1fxNaqR.exe	Get hash	malicious	Browse	172.67.146.70
	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	85d8c.exe	Get hash	malicious	Browse	104.21.79.144
	85d8c.exe	Get hash	malicious	Browse	172.67.146.70
	QfVER41Fwx.exe	Get hash	malicious	Browse	172.67.146.70
	O3h9kRdG7d.exe	Get hash	malicious	Browse	172.67.146.70
	puzlXYxqKK.exe	Get hash	malicious	Browse	104.21.79.144
	k2VFD3gNGE.exe	Get hash	malicious	Browse	104.21.79.144
	MIN56KgzBN.exe	Get hash	malicious	Browse	104.21.79.144
	U7HCBc2SVy.exe	Get hash	malicious	Browse	172.67.146.70
	TIoFSlDlv6.exe	Get hash	malicious	Browse	104.21.79.144
	76xAf6BYg8.exe	Get hash	malicious	Browse	172.67.146.70
	E4lwAiXNCE.exe	Get hash	malicious	Browse	172.67.146.70
	pLF8TJmHlD.exe	Get hash	malicious	Browse	172.67.146.70
	sonia_6.exe	Get hash	malicious	Browse	104.21.79.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	TMB1fxNaqR.exe	Get hash	malicious	Browse	172.67.146.70
	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	State Settlement Copy.html	Get hash	malicious	Browse	172.67.75.3
	Request Quotation.exe	Get hash	malicious	Browse	172.67.188.154
	invoice.vbs	Get hash	malicious	Browse	162.159.130.233
	kKZZ0J8y0c.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 29.exe	Get hash	malicious	Browse	104.21.19.200
	ATT80307.HTM	Get hash	malicious	Browse	104.16.19.94
	2C.TA9.HTML	Get hash	malicious	Browse	104.18.11.207
	Dosusign_Na_Sign.htm	Get hash	malicious	Browse	172.67.145.176
	RoyalMail_Requestform0729.exe	Get hash	malicious	Browse	172.67.188.154
	sbcss_Richard.DeNava_#inv0549387TWQYqzTPaYeqvaYMnpdIfJAwwzbguzauViQVRRplvOktNmAire.HTM	Get hash	malicious	Browse	104.16.18.94
	Fake.HTM	Get hash	malicious	Browse	104.16.19.94
	RoyalMail_Requestform1.exe	Get hash	malicious	Browse	172.67.188.154
	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	172.67.188.154
	ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe	Get hash	malicious	Browse	172.67.176.89
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	items.doc	Get hash	malicious	Browse	104.21.19.200
	ZI09484474344.exe	Get hash	malicious	Browse	104.21.49.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	TMB1fxNaqR.exe	Get hash	malicious	Browse	172.67.146.70
	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	24um7vU1BD.exe	Get hash	malicious	Browse	172.67.146.70
	JQ2bNBDOcO.exe	Get hash	malicious	Browse	172.67.146.70
	Dpwipnj1gx.exe	Get hash	malicious	Browse	172.67.146.70
	19G1ZLyqr2.exe	Get hash	malicious	Browse	172.67.146.70
	ULylDR5F36.exe	Get hash	malicious	Browse	172.67.146.70
	SecuriteInfo.com.W32.AIDetect.malware2.26285.exe	Get hash	malicious	Browse	172.67.146.70
	banload.msi	Get hash	malicious	Browse	172.67.146.70
	yQShMhZ7Hi.exe	Get hash	malicious	Browse	172.67.146.70
	zW4oE2ASRB.exe	Get hash	malicious	Browse	172.67.146.70
	run.exe	Get hash	malicious	Browse	172.67.146.70
	RNrtE1qOSL.exe	Get hash	malicious	Browse	172.67.146.70
	hDJzf1oo7U.exe	Get hash	malicious	Browse	172.67.146.70
	hpDcwMoScr.exe	Get hash	malicious	Browse	172.67.146.70
	JGJtVyC9dr.exe	Get hash	malicious	Browse	172.67.146.70
	QqcQ1EteWS.exe	Get hash	malicious	Browse	172.67.146.70
	Ya50avl5OT.exe	Get hash	malicious	Browse	172.67.146.70
	8xCetBLoAt.exe	Get hash	malicious	Browse	172.67.146.70
	7xt9iOfzN2.exe	Get hash	malicious	Browse	172.67.146.70

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	TMB1fxNaqR.exe	Get hash	malicious	Browse
	LRios3pM39.exe	Get hash	malicious	Browse
	CyLELjM5zk.exe	Get hash	malicious	Browse
	setup_x86_x64_install.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\sqlite.dat Download File
Process:	C:\Users\user\Desktop\3fVvJyTvQU.exe
File Type:	data
Category:	dropped
Size (bytes):	578665
Entropy (8bit):	7.9654519561375405
Encrypted:	false
SSDEEP:	12288:811ticqWIMMXa2ad3KNj8++VUYgokNxcg8aVg1gKtY7SQ0O:YPeBaRKNjdklalbVygKtY7xX
MD5:	9AB1B7EC387DAE76B10ADE9CEE9F7E16
SHA1:	C88CE8EF04C2A34890F91D2A908053C56FE49349
SHA-256:	90C8B4423A96315412C7B28E242F8A83B2F805DE631B4F852621EA73BA11C42E
SHA-512:	8EAF5E21F3150884101636B04DA11DCDD1009B321D0E858B382012362F538B8D43FC56AC7EF06CA40B44DA809E7D294C1812200A3FB7231AE1ED07494E6E6A8A
Malicious:	false
Reputation:	low
Preview:	.<..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V...)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..jj.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2\|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i\|..y.Q'....k...}FT.X.jY..Y....o......y..=\|6..%..z/........s....>.j.-s.k../.:..........>\|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...\|/h..jfDX.S...`&...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^.......aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./

C:\Users\user\AppData\Local\Temp\sqlite.dll Download File
Process:	C:\Users\user\Desktop\3fVvJyTvQU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81408
Entropy (8bit):	6.295064838876099
Encrypted:	false
SSDEEP:	1536:jkOh0YR+kfbE+2AJk64OceTbkS9Co5sWzcdSzEdY+wJpxpbcNop//:jkcjHY+fJhPN9H2SIdY+wJpxpQ8//
MD5:	05250AA12AD3C6A86DAB6DAB708D17FF
SHA1:	E41AD72C9A43070BB11FD7411800F71DDDF6BDD8
SHA-256:	7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD
SHA-512:	A56DF11AF5243150753154E1CBA74E3CDD0CDECF09269B88A3944AC12B73DE59909CE6DBBBD3B1B6DA691D144FAC2599645B2017F66BAC64A106437168EC38C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 15%
Joe Sandbox View:	Filename: TMB1fxNaqR.exe, Detection: malicious, Browse Filename: LRios3pM39.exe, Detection: malicious, Browse Filename: CyLELjM5zk.exe, Detection: malicious, Browse Filename: setup_x86_x64_install.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..f.x.5.x.5.x.5..r5.x.5..p5dx.5..q5.x.5@..4.x.5@..4.x.5@..4.x.5...5.x.5.x.5Jx.5...4.x.5...4.x.5..\|5.x.5...4.x.5Rich.x.5........................PE..L...f@.a...........!................8........................................p............@..........................&..L...<'..(....P.......................`...... ...p...................0...........@............................................text...M........................... ..`.rdata...].......^..................@..@.data........0....... ..............@....rsrc........P.......(..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	4.57901861732841
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3fVvJyTvQU.exe
File size:	57344
MD5:	4003498f5c38cf05a71125d4e8745791
SHA1:	5bf2e49a13c64f3f65c0b8ef8a61f8202cde5359
SHA256:	ad5711a5bdcd7c6334389a2ed722e16e774d8f55737e85f57c71ec3e1767c63b
SHA512:	e603139a756496abbd867c619ad31a7bed73e8b6f789982d5d4d8fc3a444d3dbd6dd6a6b2aa109f6e1d3ceb6ecc1546987f4379f5ca36f71f360a793c4eb4ff1
SSDEEP:	768:zQR+JJlY3yGJxNojkTnJI6TWzzejkZy/xbD9BxufhqXKCl3G9:nAoITdT0Zy5bZXYml3G9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../Q..N?..N?..N?.CF`..N?..l4..N?.NR1..N?..h4..N?..h5..N?.NFb..N?..N>..N?..m...N?.Rich.N?.........PE..L....E.a.................p.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40267e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x610745D0 [Mon Aug 2 01:09:36 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2cdeda7a0aa27475a825e9c41d4d95f0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00408150h
push 00403E38h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00408050h]
xor edx, edx
mov dl, ah
mov dword ptr [0040CF70h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040CF6Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040CF68h], ecx
shr eax, 10h
mov dword ptr [0040CF64h], eax
push 00000001h
call 00007FA9F0C4619Bh
pop ecx
test eax, eax
jne 00007FA9F0C44AAAh
push 0000001Ch
call 00007FA9F0C44B50h
pop ecx
call 00007FA9F0C45603h
test eax, eax
jne 00007FA9F0C44AAAh
push 00000010h
call 00007FA9F0C44B3Fh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007FA9F0C45E43h
call dword ptr [0040804Ch]
mov dword ptr [0040D658h], eax
call 00007FA9F0C45D01h
mov dword ptr [0040CF54h], eax
call 00007FA9F0C45AAAh
call 00007FA9F0C459ECh
call 00007FA9F0C4574Fh
mov eax, dword ptr [0040CF80h]
mov dword ptr [0040CF84h], eax
push eax
push dword ptr [0040CF78h]
push dword ptr [0040CF74h]
call 00007FA9F0C44572h
add esp, 0Ch

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8af0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x3d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6ba7	0x7000	False	0.592808314732	data	6.44090698985	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1186	0x2000	False	0.27001953125	data	3.62785728692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x365c	0x3000	False	0.0795084635417	data	0.841262202445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1000	0x1000	False	0.111083984375	data	1.09363315293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe058	0x37c	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, LoadLibraryA, lstrlenW, InterlockedDecrement, CloseHandle, WriteFile, CreateFileW, lstrcatW, GetModuleFileNameW, RaiseException, LocalFree, lstrlenA, InterlockedIncrement, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, HeapSize
USER32.dll	wsprintfW
ole32.dll	CoInitializeSecurity, CoUninitialize, CoInitialize, CoCreateInstance, CoSetProxyBlanket
OLEAUT32.dll	VariantInit, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData, SysStringLen, SysAllocStringLen, SysAllocString, VariantClear, SysFreeString, GetErrorInfo

Version Infos

Description	Data
LegalCopyright	Copyright (C) 1995-2018 VanDyke Software, Inc.
InternalName	License Helper
FileVersion	8.5.0.1740
CompanyName	VanDyke Software, Inc.
Comments	\$Revision: 122570 \$
ProductName	License Helper
ProductVersion	8.5.0.1740
FileDescription	License Helper
OriginalFilename	LicenseHelper.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-23:42:27.324731	UDP	1948	DNS zone transfer UDP	57569	53	192.168.2.3	34.97.69.225
08/03/21-23:42:33.315221	UDP	1948	DNS zone transfer UDP	57569	53	192.168.2.3	34.97.69.225
08/03/21-23:42:43.654284	UDP	1948	DNS zone transfer UDP	57569	53	192.168.2.3	34.97.69.225
08/03/21-23:42:55.609356	UDP	1948	DNS zone transfer UDP	57569	53	192.168.2.3	34.97.69.225
08/03/21-23:43:04.923912	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225
08/03/21-23:43:05.644246	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225
08/03/21-23:43:06.843778	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225
08/03/21-23:43:07.564120	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225
08/03/21-23:43:09.426405	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:42:08.264192104 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.281058073 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.281203985 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.287096024 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.303870916 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.307393074 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.307447910 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.307477951 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.307560921 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.318670988 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.335412979 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.335603952 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.378514051 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.385346889 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.403290987 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921807051 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921857119 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921886921 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921914101 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921951056 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921989918 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922009945 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922108889 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.922177076 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922216892 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922245026 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922297001 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.922307014 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.922348976 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.922486067 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922534943 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922575951 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922605991 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922712088 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.923085928 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.923157930 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.923270941 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.175451994 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175498962 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175534010 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175575972 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175605059 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175611973 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.175653934 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175673962 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.175688028 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175703049 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.175932884 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175975084 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176001072 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.176013947 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176049948 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176105022 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.176722050 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176764011 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176800013 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176834106 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.176837921 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176873922 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.177556992 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.177594900 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.177649021 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.177679062 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.177679062 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.177722931 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.178124905 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178167105 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178204060 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178239107 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178250074 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.178320885 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.178942919 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178983927 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.179012060 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.179105043 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.179135084 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.179177046 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.179208994 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.179280043 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.427622080 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427695036 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427738905 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427767038 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427803993 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427833080 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427968025 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.428467035 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428498983 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428536892 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428572893 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428653002 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.428764105 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428802013 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428848982 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428889990 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428935051 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.429013014 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.429570913 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.429613113 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.429649115 CEST	443	49712	172.67.146.70	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:41:59.158646107 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:41:59.184545994 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 3, 2021 23:41:59.938543081 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:41:59.963732958 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:00.741821051 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:00.766784906 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:01.671165943 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:01.698786974 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:02.675854921 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:02.708280087 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:03.780181885 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:03.805951118 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:04.752377033 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:04.776922941 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:05.417403936 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:05.449994087 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:06.845972061 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:06.873339891 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:07.835000038 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:07.867800951 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:08.197936058 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:08.233841896 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:08.555628061 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:08.580760002 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:09.380799055 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:09.417661905 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:10.217458010 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:10.244851112 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:10.861213923 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:10.888822079 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:11.512830973 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:11.540487051 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:12.335515976 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:12.361551046 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:13.635502100 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:13.660516024 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:16.394717932 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:16.395879984 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:16.422513962 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:16.431968927 CEST	53	57568	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 23:42:08.197936058 CEST	192.168.2.3	8.8.8.8	0x293	Standard query (0)	a.goatgame.co	A (IP address)	IN (0x0001)
Aug 3, 2021 23:42:16.394717932 CEST	192.168.2.3	8.8.8.8	0x7c06	Standard query (0)	google.vrthcobj.com	A (IP address)	IN (0x0001)
Aug 3, 2021 23:42:16.395879984 CEST	192.168.2.3	8.8.8.8	0xbcfd	Standard query (0)	google.vrthcobj.com	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 23:42:08.233841896 CEST	8.8.8.8	192.168.2.3	0x293	No error (0)	a.goatgame.co	172.67.146.70	A (IP address)	IN (0x0001)
Aug 3, 2021 23:42:08.233841896 CEST	8.8.8.8	192.168.2.3	0x293	No error (0)	a.goatgame.co	104.21.79.144	A (IP address)	IN (0x0001)
Aug 3, 2021 23:42:16.422513962 CEST	8.8.8.8	192.168.2.3	0x7c06	No error (0)	google.vrthcobj.com	34.97.69.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 3, 2021 23:42:08.307447910 CEST	172.67.146.70	443	192.168.2.3	49712	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jul 18 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jul 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Aug 3, 2021 23:42:08.307447910 CEST	172.67.146.70	443	192.168.2.3	49712	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 3fVvJyTvQU.exe PID: 5440 Parent PID: 5636

General

Start time:	23:42:04
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\3fVvJyTvQU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\3fVvJyTvQU.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	4003498F5C38CF05A71125D4E8745791
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 6128 Parent PID: 5440

General

Start time:	23:42:05
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 3fVvJyTvQU.exe PID: 5956 Parent PID: 5440

General

Start time:	23:42:06
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\3fVvJyTvQU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	4003498F5C38CF05A71125D4E8745791
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 5300 Parent PID: 5956

General

Start time:	23:42:06
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 3fVvJyTvQU

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: 3fVvJyTvQU.exe PID: 5440 Parent PID: 5636

General