Summary

e9d95e48639ce6e3dd08f42c0af22d28f414dcfdeeb250b30942b6a2d7c75e48

File e9d95e48639ce6e3dd08f42c0af22d28f414dcfdeeb250b30942b6a2d7c75e48

Summary
Download Resubmit sample

Size 4.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2886cc1768569f05f55eaac83c9072a4
SHA1 76a79528899cf05e1048243801fed1a9f4a0c61b
SHA256 e9d95e48639ce6e3dd08f42c0af22d28f414dcfdeeb250b30942b6a2d7c75e48
SHA512
001bf312f3447bdd1201c71df13d1ce4473541d501ccafc949535a195415fca65059ceae78a6686eed3d73e3d84ce483bfadf17b1be2d05e2d222d945b5338a8
CRC32 980E8602
ssdeep None
Yara
  • UPX - (no description)
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode
  • DebuggerCheck__QueryInfo - (no description)
  • ThreadControl__Context - (no description)
  • anti_dbg - Checks if being debugged
  • inject_thread - Code injection with CreateRemoteThread in a remote process
  • network_http - Communications over HTTP
  • network_dns - Communications use DNS
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6725418

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE July 13, 2025, 6:59 a.m. July 13, 2025, 7:02 a.m. 225 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-07-08 23:00:23,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpriinqn
2025-07-08 23:00:23,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\vAuPIEzmELYYxfVM
2025-07-08 23:00:23,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\LsnVnbElDVbedfgFiDdDJcbQiktVWnl
2025-07-08 23:00:23,342 [analyzer] DEBUG: Started auxiliary module Curtain
2025-07-08 23:00:23,342 [analyzer] DEBUG: Started auxiliary module DbgView
2025-07-08 23:00:23,796 [analyzer] DEBUG: Started auxiliary module Disguise
2025-07-08 23:00:24,030 [analyzer] DEBUG: Loaded monitor into process with pid 512
2025-07-08 23:00:24,030 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-07-08 23:00:24,030 [analyzer] DEBUG: Started auxiliary module Human
2025-07-08 23:00:24,046 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-07-08 23:00:24,046 [analyzer] DEBUG: Started auxiliary module Reboot
2025-07-08 23:00:24,155 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-07-08 23:00:24,155 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-07-08 23:00:24,171 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-07-08 23:00:24,171 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-07-08 23:00:24,328 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\e9d95e48639ce6e3dd08f42c0af22d28f414dcfdeeb250b30942b6a2d7c75e48.exe' with arguments '' and pid 2792
2025-07-08 23:00:24,562 [analyzer] DEBUG: Loaded monitor into process with pid 2792
2025-07-08 23:00:24,703 [analyzer] INFO: Added new file to list with pid 2792 and path C:\Windows\SysWOW64\8026c37c
2025-07-08 23:00:53,342 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-07-08 23:00:53,733 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-07-08 23:00:53,733 [lib.api.process] INFO: Successfully terminated process with pid 2792.
2025-07-08 23:00:53,890 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-07-13 06:59:06,460 [cuckoo.core.scheduler] INFO: Task #6697064: acquired machine win7x6426 (label=win7x6426)
2025-07-13 06:59:06,461 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.226 for task #6697064
2025-07-13 06:59:06,689 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3021594 (interface=vboxnet0, host=192.168.168.226)
2025-07-13 06:59:08,626 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6426
2025-07-13 06:59:09,415 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6426 to vmcloak
2025-07-13 07:00:16,335 [cuckoo.core.guest] INFO: Starting analysis #6697064 on guest (id=win7x6426, ip=192.168.168.226)
2025-07-13 07:00:17,341 [cuckoo.core.guest] DEBUG: win7x6426: not ready yet
2025-07-13 07:00:22,378 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6426, ip=192.168.168.226)
2025-07-13 07:00:22,475 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6426, ip=192.168.168.226, monitor=latest, size=6660546)
2025-07-13 07:00:24,263 [cuckoo.core.resultserver] DEBUG: Task #6697064: live log analysis.log initialized.
2025-07-13 07:00:25,232 [cuckoo.core.resultserver] DEBUG: Task #6697064 is sending a BSON stream
2025-07-13 07:00:25,733 [cuckoo.core.resultserver] DEBUG: Task #6697064 is sending a BSON stream
2025-07-13 07:00:26,529 [cuckoo.core.resultserver] DEBUG: Task #6697064: File upload for 'shots/0001.jpg'
2025-07-13 07:00:26,546 [cuckoo.core.resultserver] DEBUG: Task #6697064 uploaded file length: 133381
2025-07-13 07:00:38,973 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6697064 still processing
2025-07-13 07:00:54,083 [cuckoo.core.guest] DEBUG: win7x6426: analysis #6697064 still processing
2025-07-13 07:00:54,788 [cuckoo.core.resultserver] DEBUG: Task #6697064: File upload for 'curtain/1752008453.52.curtain.log'
2025-07-13 07:00:54,792 [cuckoo.core.resultserver] DEBUG: Task #6697064 uploaded file length: 36
2025-07-13 07:00:54,948 [cuckoo.core.resultserver] DEBUG: Task #6697064: File upload for 'sysmon/1752008453.67.sysmon.xml'
2025-07-13 07:00:55,001 [cuckoo.core.resultserver] DEBUG: Task #6697064 uploaded file length: 1731112
2025-07-13 07:00:55,037 [cuckoo.core.resultserver] DEBUG: Task #6697064: File upload for 'files/3e471b2ca8b1dbfc_8026c37c'
2025-07-13 07:00:55,154 [cuckoo.core.resultserver] DEBUG: Task #6697064 uploaded file length: 4194304
2025-07-13 07:00:55,187 [cuckoo.core.resultserver] DEBUG: Task #6697064 had connection reset for <Context for LOG>
2025-07-13 07:00:57,103 [cuckoo.core.guest] INFO: win7x6426: analysis completed successfully
2025-07-13 07:00:57,118 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-07-13 07:00:57,176 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-07-13 07:00:58,159 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6426 to path /srv/cuckoo/cwd/storage/analyses/6697064/memory.dmp
2025-07-13 07:00:58,166 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6426
2025-07-13 07:02:50,553 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.226 for task #6697064
2025-07-13 07:02:51,236 [cuckoo.core.scheduler] DEBUG: Released database task #6697064
2025-07-13 07:02:51,251 [cuckoo.core.scheduler] INFO: Task #6697064: analysis procedure completed

Signatures

Yara rules detected for file (10 events)
description (no description) rule UPX
description Heaven's Gate: Switch from 32-bit to 64-mode rule HeavensGate
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule ThreadControl__Context
description Checks if being debugged rule anti_dbg
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Communications over HTTP rule network_http
description Communications use DNS rule network_dns
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
The file contains an unknown PE resource name possibly indicative of a packer (1 event)
resource name VMP
Foreign language identified in PE resource (2 events)
name VMP language LANG_CHINESE filetype PE32+ executable (DLL) (GUI) x86-64, for MS Windows sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0003e0f0 size 0x00020e00
name RT_VERSION language LANG_CHINESE filetype MIPSEB-LE ECOFF executable not stripped - version 0.79 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0005eef0 size 0x00000160
Creates a service (1 event)
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name: LocalSystem
start_type: 2
password:
display_name: T7fmjM32MCK
filepath: C:\Windows\SysWOW64\8026c37c
service_name: 9krP4Zl4g5
filepath_r: C:\Windows\Syswow64\8026c37c
desired_access: 983551
service_handle: 0x004d3f78
error_control: 1
service_type: 16
service_manager_handle: 0x004d3fa0
1 5062520 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0
Raised Snort alerts (2 events)
snort ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
snort ET DNS Query to a *.top domain - Likely Hostile
Raised Suricata alerts (2 events)
suricata ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
suricata ET DNS Query to a *.top domain - Likely Hostile
Installs itself for autorun at Windows startup (1 event)
service_name 9krP4Zl4g5 service_path C:\Windows\SysWOW64\8026c37c
File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)
G Data Antivirus (Windows) Virus: Generic.Dacic.5901.DB547D89 (Engine A), Win32.Trojan.PSE.1XKCGNB (Engine B)
Avast Core Security (Linux) Win32:MalwareX-gen [Bd]
C4S ClamAV (Linux) Win.Malware.Barys-10002593-0
WithSecure (Linux) Trojan.TR/AVI.Agent.qmsxb
eScan Antivirus (Linux) Generic.Dacic.5901.DB547D89(DB)
ESET Security (Windows) a variant of Win32/Sfuzuan.AB trojan
Sophos Anti-Virus (Linux) Mal/Generic-S
DrWeb Antivirus (Linux) Trojan.Siggen21.32276
ClamAV (Linux) Win.Malware.Barys-10002593-0
Bitdefender Antivirus (Linux) Generic.Dacic.5901.DB547D89
Kaspersky Standard (Windows) HEUR:Backdoor.Win32.Convagent.gen
Emsisoft Commandline Scanner (Windows) Generic.Dacic.5901.DB547D89 (B)
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Dacic.m!c
tehtris Generic.Malware
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.IgenericPMF.S31413103
Skyhigh BehavesLike.Win32.Generic.rh
ALYac Generic.Dacic.5901.DB547D89
Cylance Unsafe
VIPRE Generic.Dacic.5901.DB547D89
Sangfor Suspicious.Win32.Save.pkr
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Generic.Dacic.5901.DB547D89
K7GW Trojan ( 005abe551 )
K7AntiVirus Trojan ( 005abe551 )
Arcabit Generic.Dacic.5901.DB547D89
VirIT Trojan.Win32.YiZhiZhuanT.DIC
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Sfuzuan.AB
APEX Malicious
Avast Win32:MalwareX-gen [Bd]
ClamAV Win.Malware.Barys-10002593-0
Kaspersky HEUR:Backdoor.Win32.Convagent.gen
Alibaba Backdoor:Win32/Sfuzuan.2768152a
NANO-Antivirus Trojan.Win32.Convagent.kbfnrf
MicroWorld-eScan Generic.Dacic.5901.DB547D89
Rising Trojan.Sfuzuan!1.F142 (CLASSIC)
Emsisoft Generic.Dacic.5901.DB547D89 (B)
F-Secure Trojan.TR/AVI.Agent.qmsxb
DrWeb Trojan.Siggen21.32276
Zillya Trojan.Sfuzuan.Win32.847
McAfeeD Real Protect-LS!2886CC176856
Trapmine malicious.high.ml.score
CTX exe.trojan.sfuzuan
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Jiangmin Backdoor.Convagent.oj
Webroot Win.Trojan.Gen
Google Detected
Avira TR/AVI.Agent.qmsxb
Antiy-AVL Trojan/Win32.Sfuzuan
Kingsoft Win32.Hack.Convagent.gen
Gridinsoft Trojan.Win32.Generic.st!s1
Microsoft Trojan:Win32/Sfuzuan.EN!MTB
ViRobot Trojan.Win.Z.Sfuzuan.4194304.AFS
GData Generic.Dacic.5901.DB547D89
Varist W32/Gulpix.F.gen!Eldorado
AhnLab-V3 Malware/Win32.RL_Generic.R355135
VBA32 BScope.Trojan.Tiggre
DeepInstinct MALICIOUS
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.