metasploit | f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca | Triage

Sharing

General

Target

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca
Size

1.9MB
Sample

201108-qashbnabks
MD5

449fdd7efd9d93a0ade55e13d5bd93da
SHA1

1b1bc5942cdde5880e23e4b01c4f78215fda2656
SHA256

f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca
SHA512

7c7bcf69669cf9ac4f6228a6de1094bf988fa1ef6e7cbe32f158b6c8aae76ca294c29fabbe29b4b59c937d0d152d70fab807f4d6a77b294937a2c0c1428ce965

Score

10^/10

metasploit backdoor evasion persistence trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
31.44.184.108
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://31.44.184.48:80/tv99

Attributes

headers User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; InfoPath.2)

Targets

- Target
  
  f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca
- Size
  
  1.9MB
- MD5
  
  449fdd7efd9d93a0ade55e13d5bd93da
- SHA1
  
  1b1bc5942cdde5880e23e4b01c4f78215fda2656
- SHA256
  
  f0c37f1d0fd2327c9dc4d60732b0883f3cae4b48115939723a9f894b3e9aa0ca
- SHA512
  
  7c7bcf69669cf9ac4f6228a6de1094bf988fa1ef6e7cbe32f158b6c8aae76ca294c29fabbe29b4b59c937d0d152d70fab807f4d6a77b294937a2c0c1428ce965
Score

10^/10

metasploit backdoor evasion persistence trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- UAC bypass
  evasion trojan
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Executes dropped EXE
- Stops running service(s)
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- JavaScript code in executable
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Bypass User Account Control

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Tasks

static1

behavioral1

metasploitbackdoorevasionpersistencetrojan

behavioral2

metasploitbackdoorevasionpersistencetrojan