Cuckoo Sandbox

File 470288a8683987932909034c63de86e18ca0e7f1279249c5cdd85287b283399b

Summary
Download Resubmit sample

Size	89.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`492629d0286213a87d901a6da23f5907`
SHA1	`3234d1fe111b70da6619fda70b54114f7a70896e`
SHA256	`470288a8683987932909034c63de86e18ca0e7f1279249c5cdd85287b283399b`
SHA512	`708dbdf7728dd1bb002fde4063920ff51e9a3e8e44a56bd221d400cb23f6f102529cd68c2c8fb45b6cb3ea21cb3108906766e9bd7225de29992a43d9064b5e8a`
CRC32	`6359A6AC`
ssdeep	`None`
Yara	network_irc - Communications over IRC network network_dropper - File downloader/dropper network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS keylogger - Run a keylogger spreading_share - Malware can spread east-west using share drive win_mutex - Create or check mutex win_registry - Affect system registries win_private_profile - Affect private profile win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6237353

6237354

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	April 5, 2025, 12:58 p.m.	April 5, 2025, 1:05 p.m.	422 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-04-04 19:58:05,015 [analyzer] DEBUG: Starting analyzer from: C:\tmp2pjrvv
2025-04-04 19:58:05,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\usyQMaQmgXtSSUKO
2025-04-04 19:58:05,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\rSJTncFWRTrnyeojThpoNPvRlkqW
2025-04-04 19:58:05,296 [analyzer] DEBUG: Started auxiliary module Curtain
2025-04-04 19:58:05,296 [analyzer] DEBUG: Started auxiliary module DbgView
2025-04-04 19:58:05,750 [analyzer] DEBUG: Started auxiliary module Disguise
2025-04-04 19:58:05,953 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-04-04 19:58:05,953 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-04-04 19:58:05,953 [analyzer] DEBUG: Started auxiliary module Human
2025-04-04 19:58:05,953 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-04-04 19:58:05,953 [analyzer] DEBUG: Started auxiliary module Reboot
2025-04-04 19:58:06,078 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-04-04 19:58:06,078 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-04-04 19:58:06,078 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-04-04 19:58:06,078 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-04-04 19:58:06,217 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\470288a8683987932909034c63de86e18ca0e7f1279249c5cdd85287b283399b.exe' with arguments '' and pid 2884
2025-04-04 19:58:06,437 [analyzer] DEBUG: Loaded monitor into process with pid 2884
2025-04-04 19:58:06,453 [analyzer] INFO: Added new file to list with pid 2884 and path C:\Windows\win32dc\BattleField 1942(cdfix).exe
2025-04-04 19:58:06,453 [analyzer] INFO: Added new file to list with pid 2884 and path C:\Windows\win32dc\Half-Life 2_hack.exe
2025-04-04 19:58:06,483 [analyzer] INFO: Added new file to list with pid 2884 and path C:\Windows\win32dc\Quake3 + nocd.exe
2025-04-04 19:58:06,500 [analyzer] INFO: Added new file to list with pid 2884 and path C:\Windows\win32dc\FlatOut(serial).exe
2025-04-04 19:58:06,515 [analyzer] INFO: Added new file to list with pid 2884 and path C:\Windows\win32dc\BattleField 1942_cdfix.exe
2025-04-04 19:58:06,546 [analyzer] INFO: Added new file to list with pid 2884 and path C:\Windows\win32dc\Doom 3 + crack.exe
2025-04-04 19:58:06,562 [analyzer] INFO: Added new file to list with pid 2884 and path C:\Windows\win32dc\Silent Hill 4 + codes.exe
2025-04-04 19:58:06,592 [analyzer] INFO: Added new file to list with pid 2884 and path C:\Windows\win32dc\Silent Hill 4_trainer.exe
2025-04-04 19:58:35,217 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-04-04 19:58:36,187 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-04-04 19:58:36,187 [lib.api.process] INFO: Successfully terminated process with pid 2884.
2025-04-04 19:58:36,250 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-04-05 12:58:57,060 [cuckoo.core.scheduler] INFO: Task #6227050: acquired machine win7x648 (label=win7x648)
2025-04-05 12:58:57,062 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.208 for task #6227050
2025-04-05 12:58:57,459 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 146932 (interface=vboxnet0, host=192.168.168.208)
2025-04-05 12:58:57,658 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x648
2025-04-05 12:58:58,397 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x648 to vmcloak
2025-04-05 13:02:03,419 [cuckoo.core.guest] INFO: Starting analysis #6227050 on guest (id=win7x648, ip=192.168.168.208)
2025-04-05 13:02:04,591 [cuckoo.core.guest] DEBUG: win7x648: not ready yet
2025-04-05 13:02:09,849 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x648, ip=192.168.168.208)
2025-04-05 13:02:09,961 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x648, ip=192.168.168.208, monitor=latest, size=6660546)
2025-04-05 13:02:11,186 [cuckoo.core.resultserver] DEBUG: Task #6227050: live log analysis.log initialized.
2025-04-05 13:02:12,105 [cuckoo.core.resultserver] DEBUG: Task #6227050 is sending a BSON stream
2025-04-05 13:02:12,559 [cuckoo.core.resultserver] DEBUG: Task #6227050 is sending a BSON stream
2025-04-05 13:02:13,397 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'shots/0001.jpg'
2025-04-05 13:02:13,409 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 136373
2025-04-05 13:02:25,946 [cuckoo.core.guest] DEBUG: win7x648: analysis #6227050 still processing
2025-04-05 13:02:41,316 [cuckoo.core.guest] DEBUG: win7x648: analysis #6227050 still processing
2025-04-05 13:02:42,004 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'curtain/1743789515.48.curtain.log'
2025-04-05 13:02:42,024 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 36
2025-04-05 13:02:42,293 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'sysmon/1743789515.77.sysmon.xml'
2025-04-05 13:02:42,734 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 1801416
2025-04-05 13:02:42,798 [cuckoo.core.resultserver] DEBUG: Task #6227050 had connection reset for <Context for LOG>
2025-04-05 13:02:42,804 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'files/ac7411080aeab46a_flatout(serial).exe'
2025-04-05 13:02:42,828 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 92699
2025-04-05 13:02:42,834 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'files/053ceb6e96c1fbd5_battlefield 1942_cdfix.exe'
2025-04-05 13:02:42,847 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 94747
2025-04-05 13:02:42,850 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'files/84d030179af2f734_quake3 + nocd.exe'
2025-04-05 13:02:42,855 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 94747
2025-04-05 13:02:42,857 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'files/0bff88a8d642a7c4_doom 3 + crack.exe'
2025-04-05 13:02:42,877 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 95771
2025-04-05 13:02:42,883 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'files/c1c5fc27c149219f_silent hill 4_trainer.exe'
2025-04-05 13:02:42,899 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 95771
2025-04-05 13:02:42,904 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'files/b09073cbf9ca5036_battlefield 1942(cdfix).exe'
2025-04-05 13:02:42,915 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 91675
2025-04-05 13:02:42,927 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'files/2d1fa9febd23ecee_silent hill 4 + codes.exe'
2025-04-05 13:02:42,930 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 94747
2025-04-05 13:02:42,931 [cuckoo.core.resultserver] DEBUG: Task #6227050: File upload for 'files/44ae3d90ddb31728_half-life 2_hack.exe'
2025-04-05 13:02:42,933 [cuckoo.core.resultserver] DEBUG: Task #6227050 uploaded file length: 93723
2025-04-05 13:02:44,334 [cuckoo.core.guest] INFO: win7x648: analysis completed successfully
2025-04-05 13:02:44,346 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-04-05 13:02:44,375 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-04-05 13:02:45,411 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x648 to path /srv/cuckoo/cwd/storage/analyses/6227050/memory.dmp
2025-04-05 13:02:45,413 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x648
2025-04-05 13:05:59,009 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.208 for task #6227050
2025-04-05 13:05:59,393 [cuckoo.core.scheduler] DEBUG: Released database task #6227050
2025-04-05 13:05:59,411 [cuckoo.core.scheduler] INFO: Task #6227050: analysis procedure completed

Signatures

Yara rules detected for file (10 events)

description	Communications over IRC network	rule	network_irc
description	File downloader/dropper	rule	network_dropper
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Run a keylogger	rule	keylogger
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Creates executable files on the filesystem (8 events)

file	C:\Windows\win32dc\FlatOut(serial).exe
file	C:\Windows\win32dc\BattleField 1942_cdfix.exe
file	C:\Windows\win32dc\Quake3 + nocd.exe
file	C:\Windows\win32dc\Doom 3 + crack.exe
file	C:\Windows\win32dc\Silent Hill 4_trainer.exe
file	C:\Windows\win32dc\Silent Hill 4 + codes.exe
file	C:\Windows\win32dc\BattleField 1942(cdfix).exe
file	C:\Windows\win32dc\Half-Life 2_hack.exe

File has been identified by 14 AntiVirus engine on IRMA as malicious (14 events)

G Data Antivirus (Windows)	Virus: Dropped:Generic.Malware.S!dld!.C425D330 (Engine A), Win32.Worm.MyDoom.B (Engine B)
Avast Core Security (Linux)	Win32:IRCBot-EXE [Trj]
C4S ClamAV (Linux)	Win.Trojan.Delf-6717398-0
Trend Micro SProtect (Linux)	TROJ_DELF.SMUA
Trellix (Linux)	Generic BackDoor.ww trojan
WithSecure (Linux)	Worm.WORM/Rbot.Gen
eScan Antivirus (Linux)	Dropped:Generic.Malware.S!dld!.C425D330(DB)
ESET Security (Windows)	a variant of Win32/LunaStorm.D worm
Sophos Anti-Virus (Linux)	Troj/Luiha-BN
DrWeb Antivirus (Linux)	Trojan.Siggen3.61286
ClamAV (Linux)	Win.Trojan.Delf-6717398-0
Bitdefender Antivirus (Linux)	Dropped:Generic.Malware.S!dld!.C425D330
Kaspersky Standard (Windows)	Backdoor.Win32.Delf.cst
Emsisoft Commandline Scanner (Windows)	Dropped:Generic.Malware.S!dld!.C425D330 (B)

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Dropped:Generic.Malware.S!dld!.C425D330
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	EmailWorm ( 005771db1 )
K7AntiVirus	EmailWorm ( 005771db1 )
Baidu	Win32.Trojan.Delf.j
VirIT	Backdoor.Win32.Generic.CFDD
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/LunaStorm.D
APEX	Malicious
Cynet	Malicious (score: 100)
NANO-Antivirus	Trojan.Win32.Delf.dplrap
SUPERAntiSpyware	Trojan.Agent/Gen-IRCBot
Rising	Backdoor.Delf!1.64C1 (CLASSIC)
Emsisoft	Dropped:Generic.Malware.S!dld!.C425D330 (B)
F-Secure	Worm.WORM/Rbot.Gen
DrWeb	Trojan.Siggen3.61286
Zillya	Backdoor.Delf.Win32.10118
Trapmine	malicious.moderate.ml.score
Sophos	Troj/Luiha-BN
SentinelOne	Static AI - Malicious PE
Webroot	W32.Malware.gen
Avira	WORM/Rbot.Gen
Antiy-AVL	Trojan[Backdoor]/Win32.Delf.cst
Kingsoft	malware.kb.a.1000
Gridinsoft	Backdoor.Win32.Delf.bot!s1
Xcitium	TrojWare.Win32.TrojanDownloader.Delf.gen@1xqow5
Microsoft	Worm:Win32/Fesber!pz
ViRobot	Backdoor.Win32.A.Delf.49664.C
ZoneAlarm	Troj/Luiha-BN
AhnLab-V3	Backdoor/Win32.Delf.R27090
Acronis	suspicious
VBA32	Exploit.Letipig
TACHYON	Backdoor/W32.DP-Small.Zen
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32.IRCBot
Zoner	Trojan.Win32.22030
Tencent	Trojan.Win32.Dropper.aaw
huorong	Backdoor/IRCBot.bi
alibabacloud	Backdoor:Win/LunaStorm.03d7a9d4

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 470288a8683987932909034c63de86e18ca0e7f1279249c5cdd85287b283399b

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample