Windows Analysis Report
8082-svc-x64.exe

Overview

General Information

Sample Name: 8082-svc-x64.exe
Analysis ID: 780212
MD5: 89be3be20ca0dce73c12a5a015bcb9a5
SHA1: 4f92b6f168ee8536278fa58a6df5c9b368421030
SHA256: 37e828da01820aad58414d0b73c935a0e408c274cdd872cbbae25f9cbcba0b08
Tags: 45139105143exeopendir
Infos:

Detection

CobaltStrike
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected CobaltStrike
Multi AV Scanner detection for submitted file
Found API chain indicative of debugger detection
Machine Learning detection for sample
Yara signature match
Found large amount of non-executed APIs
Program does not show much activity (idle)
PE file contains sections with non-standard names

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 8082-svc-x64.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 8082-svc-x64.exe ReversingLabs: Detection: 80%
Source: 8082-svc-x64.exe Virustotal: Detection: 68% Perma Link
Machine Learning detection for sample
Source: 8082-svc-x64.exe Joe Sandbox ML: detected
Yara signature match
Source: 8082-svc-x64.exe, type: SAMPLE Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
Source: 0.2.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
Source: 0.0.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Resources_Artifact64_v3_14_to_v4_x date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44
Source: 8082-svc-x64.exe ReversingLabs: Detection: 80%
Source: 8082-svc-x64.exe Virustotal: Detection: 68%
Source: C:\Users\user\Desktop\8082-svc-x64.exe Code function: 0_2_00403390 StartServiceCtrlDispatcherA, 0_2_00403390
Source: C:\Users\user\Desktop\8082-svc-x64.exe Code function: 0_2_00403382 StartServiceCtrlDispatcherA, 0_2_00403382
Source: 8082-svc-x64.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\8082-svc-x64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\8082-svc-x64.exe Code function: 0_2_00403390 StartServiceCtrlDispatcherA, 0_2_00403390
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/0@0/0
PE file contains sections with non-standard names
Source: 8082-svc-x64.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\8082-svc-x64.exe Code function: 0_2_00403390 StartServiceCtrlDispatcherA, 0_2_00403390
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\8082-svc-x64.exe API coverage: 7.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\8082-svc-x64.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\8082-svc-x64.exe Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,GetProcAddress,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, 0_2_00401180
Source: C:\Users\user\Desktop\8082-svc-x64.exe Code function: 0_2_00402DD0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 0_2_00402DD0
Source: C:\Users\user\Desktop\8082-svc-x64.exe Code function: 0_2_00402D00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00402D00
Source: C:\Users\user\Desktop\8082-svc-x64.exe Code function: 0_2_00401790 CreateNamedPipeA,ConnectNamedPipe,WriteFile,WriteFile,CloseHandle, 0_2_00401790

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 8082-svc-x64.exe, type: SAMPLE
Source: Yara match File source: 0.2.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.8082-svc-x64.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780212 Sample: 8082-svc-x64.exe Startdate: 08/01/2023 Architecture: WINDOWS Score: 72 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected CobaltStrike 2->12 14 Machine Learning detection for sample 2->14 5 8082-svc-x64.exe 2->5         started        process3 signatures4 16 Found API chain indicative of debugger detection 5->16
No contacted IP infos