Source: 8082-svc-x86.exe |
ReversingLabs: Detection: 92% |
Source: 0.0.8082-svc-x86.exe.400000.0.unpack |
Avira: Label: TR/Hijacker.Gen |
Source: 0.2.8082-svc-x86.exe.400000.0.unpack |
Avira: Label: TR/Hijacker.Gen |
Source: 8082-svc-x86.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: 8082-svc-x86.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: 8082-svc-x86.exe, type: SAMPLE |
Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719 |
Source: 8082-svc-x86.exe, type: SAMPLE |
Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9 |
Source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719 |
Source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9 |
Source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Resources_Artifact32_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719 |
Source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9 |
Source: 00000000.00000002.296319172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9 |
Source: 00000000.00000000.295977191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x), reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = 871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9 |
Source: 8082-svc-x86.exe |
ReversingLabs: Detection: 92% |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00402F5A StartServiceCtrlDispatcherA, |
0_2_00402F5A |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00402F50 StartServiceCtrlDispatcherA, |
0_2_00402F50 |
Source: 8082-svc-x86.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00402F5A StartServiceCtrlDispatcherA, |
0_2_00402F5A |
Source: classification engine |
Classification label: mal68.troj.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00401BC9 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, |
0_2_00401BC9 |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00402F5A StartServiceCtrlDispatcherA, |
0_2_00402F5A |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
API coverage: 4.7 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00401BC9 _winmajor,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, |
0_2_00401BC9 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, |
0_2_00401180 |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00402B60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, |
0_2_00402B60 |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_00402A90 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00402A90 |
Source: C:\Users\user\Desktop\8082-svc-x86.exe |
Code function: 0_2_004017FC CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle, |
0_2_004017FC |
Source: Yara match |
File source: 8082-svc-x86.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.8082-svc-x86.exe.400000.0.unpack, type: UNPACKEDPE |