Source: 8082-svc-x64.exe |
ReversingLabs: Detection: 80% |
Source: 8082-svc-x64.exe |
Virustotal: Detection: 68% |
Perma Link |
Source: 8082-svc-x64.exe, type: SAMPLE |
Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44 |
Source: 0.2.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44 |
Source: 0.0.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44 |
Source: 8082-svc-x64.exe |
ReversingLabs: Detection: 80% |
Source: 8082-svc-x64.exe |
Virustotal: Detection: 68% |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Code function: 0_2_00403390 StartServiceCtrlDispatcherA, |
0_2_00403390 |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Code function: 0_2_00403382 StartServiceCtrlDispatcherA, |
0_2_00403382 |
Source: 8082-svc-x64.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Code function: 0_2_00403390 StartServiceCtrlDispatcherA, |
0_2_00403390 |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/0@0/0 |
Source: 8082-svc-x64.exe |
Static PE information: section name: .xdata |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Code function: 0_2_00403390 StartServiceCtrlDispatcherA, |
0_2_00403390 |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
API coverage: 7.2 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, |
0_2_00401180 |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Code function: 0_2_00402DD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, |
0_2_00402DD0 |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Code function: 0_2_00402D00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00402D00 |
Source: C:\Users\user\Desktop\8082-svc-x64.exe |
Code function: 0_2_00401790 CreateNamedPipeA,ConnectNamedPipe,WriteFile,WriteFile,CloseHandle, |
0_2_00401790 |
Source: Yara match |
File source: 8082-svc-x64.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE |