urlscan.io logo urlscan.io
SecurityTrails logo

cuckoo.ee Open in urlscan Pro
2a00:6a00:ad1:806::85  Public Scan

Back to summary
URL: https://cuckoo.ee/analysis/3531908/summary/
Submission Tags: falconsandbox
Submission: On October 08 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form class="modal-dialog">
  <div class="modal-content">
    <div class="modal-header">
      <h4><i class="fa fa-bug"></i> Feedback</h4>
    </div>
    <p class="modal-section arrow">Expecting different results? Share this analysis report with us and we’ll investigate it. Please include a brief message of what you had expected to see and what you got instead.</p>
    <div class="modal-section modal-form arrow">
      <div class="form-col">
        <fieldset>
          <input type="text" name="name" id="feedback-name" required="">
          <label for="feedback-name">Your name</label>
        </fieldset>
        <fieldset>
          <input type="text" name="email" id="feedback-email" required="">
          <label for="feedback-email">Your email</label>
        </fieldset>
      </div>
      <div class="form-col">
        <fieldset>
          <input type="text" name="company" id="feedback-company" required="">
          <label for="feedback-company">Your company</label>
        </fieldset>
      </div>
    </div>
    <div class="modal-section modal-form arrow">
      <textarea name="message" id="feedback-message" placeholder="Describe to us what does not seem to work properly."></textarea>
    </div>
    <div class="modal-section modal-form arrow arrow-center" id="feedback-includes">
      <div class="modal-form__checkbox">
        <input type="checkbox" name="include_analysis" id="feedback-analysis" disabled="">
        <label for="feedback-analysis"><span></span> Include analysis</label>
      </div>
      <div class="modal-form__checkbox">
        <input type="checkbox" name="include_memdump" id="feedback-memdump" disabled="">
        <label for="feedback-memdump"><span></span> Include memory dump</label>
      </div>
    </div>
    <div class="modal-section modal-form no-flex center">
      <p id="feedback-size">Estimated report size: <strong class="file-estimation">estimating...</strong></p>
      <button class="modal-submit" type="submit" formnovalidate="">Send feedback report</button>
      <p>or <a href="modal:cancel">cancel</a></p>
    </div>
    <div class="modal-section modal-footer center"></div>
  </div>
</form>

Text Content

 * Dashboard
 * Recent
 * Pending
 * Search

 * Submit
 * Import

 * SELECT THEME
   
    * Default
    * Cyborg
    * Night



BROWSER RECOMMENDATION

Hello, we noticed that you are using . For the best performance of this
application, we recommend to use Chrome, Firefox or any browser that supports
WebKit.

Dismiss Don't show again
 * Summary
 * Static Analysis
 * Extracted Artifacts
 * Behavioral Analysis 1
 * Network Analysis
 * Dropped Files 0
 * Dropped Buffers
 * IntelMQ 10
 * Process Memory
 * VM Memory Dump
 * Compare Analysis
 * Export Analysis
 * Reboot Analysis
 * Options
 * Feedback
 * 


SUMMARY

3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware3

FILE 3DB0E385EB53A32D61A5A35908A99317868B571E4CF7079DB67FD68604DA662C_MALWARE3

SUMMARY
DOWNLOAD RESUBMIT SAMPLE

Size 1.6MB Type PE32 executable (GUI) Intel 80386, for MS Windows MD5
b63bc3a7354168a6eeb8763d99967f84 SHA1 8aa1dbe692f74a576375ecfade7288674e08a354
SHA256 287c957b5d5a3a6420eecc7b3c25481ccf442a04e8455a829f8baf0cb6ee89bc SHA512
Show SHA512
4f5a20b800282bcac46dc607fade2dec9318fd2a67b1b0bd94dfc6b47f527a5dcbeee69305db156e92e50933d5bd31a581e1d93719a26e0bc33092d2d76dd9b7
CRC32 E3B0E8BB ssdeep None Yara
 * ppaction - (no description)
 * anti_dbg - Checks if being debugged
 * inject_thread - Code injection with CreateRemoteThread in a remote process
 * network_http - Communications over HTTP
 * network_tcp_socket - Communications over RAW socket
 * escalate_priv - Escalade priviledges
 * screenshot - Take screenshot
 * keylogger - Run a keylogger
 * win_registry - Affect system registries
 * win_token - Affect system token

SCORE

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should
be considered an alpha feature.

--------------------------------------------------------------------------------

FEEDBACK

Expecting different results? Send us this analysis and we will inspect it. Click
here

INFORMATION ON EXECUTION

Analysis

Category Started Completed Duration Routing Logs FILE Oct. 8, 2022, 12:24 p.m.
Oct. 8, 2022, 12:34 p.m. 568 seconds internet Show Analyzer Log
Show Cuckoo Log

ANALYZER LOG

2022-10-08 12:24:27,000 [analyzer] DEBUG: Starting analyzer from: C:\tmp4nivwu
2022-10-08 12:24:27,000 [analyzer] DEBUG: Pipe server name: \??\PIPE\ZvEegrbYuAxDbUXTtmL
2022-10-08 12:24:27,000 [analyzer] DEBUG: Log pipe server name: \??\PIPE\kCtjjtJkfFcbeZCeQCzN
2022-10-08 12:24:27,280 [analyzer] DEBUG: Started auxiliary module Curtain
2022-10-08 12:24:27,280 [analyzer] DEBUG: Started auxiliary module DbgView
2022-10-08 12:24:27,828 [analyzer] DEBUG: Started auxiliary module Disguise
2022-10-08 12:24:28,030 [analyzer] DEBUG: Loaded monitor into process with pid 508
2022-10-08 12:24:28,030 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2022-10-08 12:24:28,030 [analyzer] DEBUG: Started auxiliary module Human
2022-10-08 12:24:28,030 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2022-10-08 12:24:28,030 [analyzer] DEBUG: Started auxiliary module Reboot
2022-10-08 12:24:28,078 [analyzer] DEBUG: Started auxiliary module RecentFiles
2022-10-08 12:24:28,092 [analyzer] DEBUG: Started auxiliary module Screenshots
2022-10-08 12:24:28,092 [analyzer] DEBUG: Started auxiliary module Sysmon
2022-10-08 12:24:28,092 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2022-10-08 12:24:28,265 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware3.exe' with arguments '' and pid 2056
2022-10-08 12:24:28,483 [analyzer] DEBUG: Loaded monitor into process with pid 2056
2022-10-08 12:24:28,546 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2056.
2022-10-08 12:24:29,265 [analyzer] INFO: Process with pid 2056 has terminated
2022-10-08 12:24:29,265 [analyzer] INFO: Process list is empty, terminating analysis.
2022-10-08 12:24:30,421 [analyzer] INFO: Terminating remaining processes before shutdown.
2022-10-08 12:24:30,437 [analyzer] INFO: Analysis completed.


CUCKOO LOG

2022-10-08 12:24:32,472 [cuckoo.core.scheduler] INFO: Task #3531908: acquired machine win7x6424 (label=win7x6424)
2022-10-08 12:24:32,474 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.224 for task #3531908
2022-10-08 12:24:32,658 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3831091 (interface=vboxnet0, host=192.168.168.224)
2022-10-08 12:24:33,904 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6424
2022-10-08 12:24:34,305 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6424 to vmcloak
2022-10-08 12:29:17,148 [cuckoo.core.guest] INFO: Starting analysis #3531908 on guest (id=win7x6424, ip=192.168.168.224)
2022-10-08 12:29:18,158 [cuckoo.core.guest] DEBUG: win7x6424: not ready yet
2022-10-08 12:29:23,179 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6424, ip=192.168.168.224)
2022-10-08 12:29:23,254 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6424, ip=192.168.168.224, monitor=latest, size=6659295)
2022-10-08 12:29:24,865 [cuckoo.core.resultserver] DEBUG: Task #3531908: live log analysis.log initialized.
2022-10-08 12:29:25,846 [cuckoo.core.resultserver] DEBUG: Task #3531908 is sending a BSON stream
2022-10-08 12:29:26,281 [cuckoo.core.resultserver] DEBUG: Task #3531908 is sending a BSON stream
2022-10-08 12:29:27,056 [cuckoo.core.resultserver] DEBUG: Task #3531908: File upload for 'shots/0001.jpg'
2022-10-08 12:29:27,096 [cuckoo.core.resultserver] DEBUG: Task #3531908 uploaded file length: 133516
2022-10-08 12:29:28,207 [cuckoo.core.resultserver] DEBUG: Task #3531908: File upload for 'curtain/1665224670.33.curtain.log'
2022-10-08 12:29:28,240 [cuckoo.core.resultserver] DEBUG: Task #3531908 uploaded file length: 36
2022-10-08 12:29:28,305 [cuckoo.core.resultserver] DEBUG: Task #3531908: File upload for 'sysmon/1665224670.42.sysmon.xml'
2022-10-08 12:29:28,354 [cuckoo.core.resultserver] DEBUG: Task #3531908 uploaded file length: 371592
2022-10-08 12:29:29,164 [cuckoo.core.resultserver] DEBUG: Task #3531908 had connection reset for <Context for LOG>
2022-10-08 12:29:30,517 [cuckoo.core.guest] INFO: win7x6424: analysis completed successfully
2022-10-08 12:29:30,527 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2022-10-08 12:29:30,576 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2022-10-08 12:30:04,245 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6424 to path /srv/cuckoo/cwd/storage/analyses/3531908/memory.dmp
2022-10-08 12:30:04,246 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6424
2022-10-08 12:33:59,983 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.224 for task #3531908
2022-10-08 12:34:00,156 [cuckoo.core.scheduler] DEBUG: Released database task #3531908
2022-10-08 12:34:00,259 [cuckoo.core.scheduler] INFO: Task #3531908: analysis procedure completed


SIGNATURES

Yara rules detected for file (10 events)

description (no description) rule ppaction description Checks if being debugged
rule anti_dbg description Code injection with CreateRemoteThread in a remote
process rule inject_thread description Communications over HTTP rule
network_http description Communications over RAW socket rule network_tcp_socket
description Escalade priviledges rule escalate_priv description Take screenshot
rule screenshot description Run a keylogger rule keylogger description Affect
system registries rule win_registry description Affect system token rule
win_token

One or more processes crashed (1 event)

Time & API Arguments Status Return Repeated

__exception__

Oct. 8, 2022, 1:24 p.m. stacktrace:

3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_malware3+0x25f79 @ 0x1075f79
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x774e9f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x774e9f45


exception.instruction_r: a1 c0 ad 4b 00 83 65 f4 00 83 65 f8 00 56 57 bf
exception.symbol:
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_malware3+0x32de9
exception.instruction: mov eax, dword ptr [0x4badc0]
exception.module:
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c_Malware3.exe
exception.exception_code: 0xc0000005
exception.offset: 208361
exception.address: 0x1082de9
registers.esp: 5896252
registers.edi: 0
registers.eax: 1991521176
registers.ebp: 5896272
registers.edx: 17260404
registers.ebx: 4294828032
registers.esi: 0
registers.ecx: 0
1 0 0

File has been identified by 5 AntiVirus engine on IRMA as malicious (5 events)

Avast Core Security (Linux) Win32:Evo-gen [Trj] F-Secure Antivirus (Linux)
Heuristic.HEUR/AGEN.1245581 [Aquarius] Forticlient (Linux) AutoIt/Dloader.SM!tr
Avira (Windows) HEUR/AGEN.1245581 ClamAV (Linux) Win.Dropper.DarkKomet-9164386-0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47
events)

Bkav W32.AIDetect.malware2 Lionic Riskware.MSIL.DownloadSponsor.1!c Elastic
malicious (high confidence) ClamAV Win.Dropper.DarkKomet-9164386-0 FireEye
Generic.mg.b63bc3a7354168a6 CAT-QuickHeal PUA.Chipdigita1.Gen McAfee
Artemis!B63BC3A73541 Cylance Unsafe Sangfor Virus.Win32.Save.a Alibaba
Malware:Win32/km_2c676c6.None CrowdStrike win/grayware_confidence_100% (W) Cyren
W32/Downloader.SM.gen!Eldorado Symantec ML.Attribute.HighConfidence tehtris
Generic.Malware ESET-NOD32 a variant of Win32/DownloadSponsor.C potentially
unwanted APEX Malicious Paloalto generic.ml Cynet Malicious (score: 100)
Kaspersky not-a-virus:Downloader.MSIL.DownloadSponsor.r NANO-Antivirus
Trojan.Win32.Agent.edqrfj Avast Win32:Evo-gen [Trj] Tencent
Msil.Trojan-Downloader.Downloadsponsor.Ktgl Sophos Generic ML PUA (PUA) Comodo
Application.Win32.DownloadSponsor.CA@6b1yde DrWeb Adware.Covus.63 TrendMicro
PUA.MSIL.DownloadSponsor.SMDR McAfee-GW-Edition
BehavesLike.Win32.TrojanAitInject.th Trapmine malicious.high.ml.score Emsisoft
Application.AdLoad (A) Ikarus PUA.DownloadSponsor Jiangmin Downloader.Agent.i
Webroot W32.Malware.gen Avira HEUR/AGEN.1245581 Microsoft
Program:Win32/Wacapew.C!ml ZoneAlarm
not-a-virus:Downloader.MSIL.DownloadSponsor.r Google Detected Acronis suspicious
MAX malware (ai score=99) VBA32 Downloader.MSIL.DownloadSponsor Malwarebytes
PUP.Optional.ChipDe TrendMicro-HouseCall PUA.MSIL.DownloadSponsor.SMDR Rising
PUF.DownloadSponsor!1.BE33 (CLASSIC) Yandex PUA.Downloader!CI3y1nhnBOw MaxSecure
Downloader.Agent.efha Fortinet AutoIt/Dloader.SM!tr AVG Win32:Evo-gen [Trj]
Cybereason malicious.692f74

Screenshots



Name Response Post-Analysis Lookup No hosts contacted.

IP Address Status Action VT Location No hosts contacted.

©2010-2018 Cuckoo Sandbox

Back to Top
Back to the top
©2010-2018 Cuckoo Sandbox

FEEDBACK

Expecting different results? Share this analysis report with us and we’ll
investigate it. Please include a brief message of what you had expected to see
and what you got instead.

Your name Your email
Your company

Include analysis
Include memory dump

Estimated report size: estimating...

Send feedback report

or cancel



We're processing your submission... This could take a few seconds.

Close