Windows Analysis Report
8082-svc-x86.exe

Overview

General Information

Sample Name: 8082-svc-x86.exe
Analysis ID: 780207
MD5: 8fc088eec229a693f2d754c67a2e506a
SHA1: 0043b6ba9f8edfd83d00bbce364797d4c65b3b75
SHA256: deeb89a16aa2b7b63504602de422f508c196b8be3289e57f3b9d74337d585425
Tags: 45139105143exeopendir
Infos:

Detection

CobaltStrike
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected CobaltStrike
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Program does not show much activity (idle)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 8082-svc-x86.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 8082-svc-x86.exe ReversingLabs: Detection: 92%
Machine Learning detection for sample
Source: 8082-svc-x86.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.8082-svc-x86.exe.400000.0.unpack Avira: Label: TR/Hijacker.Gen
Source: 0.2.8082-svc-x86.exe.400000.0.unpack Avira: Label: TR/Hijacker.Gen
Uses 32bit PE files
Source: 8082-svc-x86.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Uses 32bit PE files
Source: 8082-svc-x86.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: 8082-svc-x86.exe, type: SAMPLE Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
Source: 8082-svc-x86.exe, type: SAMPLE Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
Source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
Source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
Source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719
Source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
Source: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
Source: 00000000.00000000.295977191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9
Source: 8082-svc-x86.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00402F5A StartServiceCtrlDispatcherA, 0_2_00402F5A
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00402F50 StartServiceCtrlDispatcherA, 0_2_00402F50
Source: 8082-svc-x86.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\8082-svc-x86.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00402F5A StartServiceCtrlDispatcherA, 0_2_00402F5A
Source: classification engine Classification label: mal68.troj.winEXE@1/0@0/0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00401BC9 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_00401BC9
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00402F5A StartServiceCtrlDispatcherA, 0_2_00402F5A
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\8082-svc-x86.exe API coverage: 4.7 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00401BC9 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_00401BC9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, 0_2_00401180
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00402B60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 0_2_00402B60
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_00402A90 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00402A90
Source: C:\Users\user\Desktop\8082-svc-x86.exe Code function: 0_2_004017FC CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle, 0_2_004017FC

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 8082-svc-x86.exe, type: SAMPLE
Source: Yara match File source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780207 Sample: 8082-svc-x86.exe Startdate: 08/01/2023 Architecture: WINDOWS Score: 68 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected CobaltStrike 2->11 13 Machine Learning detection for sample 2->13 5 8082-svc-x86.exe 2->5         started        process3
No contacted IP infos