General
-
Target
1.zip
-
Size
1.1MB
-
Sample
210701-l57nfyaga2
-
MD5
596d2a2eb4de54b1de23c89f143d7a0d
-
SHA1
794ed20881a8814b81ed65aa4191f7a5c9c9c07e
-
SHA256
4a476ab77608f9f6a8db6b30913a5c488a8c0f26c5ef8d0f9239b944dc4c65a6
-
SHA512
2f989e6d597f86acfe74cb472acb3399f234041a50e858e66ba2221232660e611d8a4264ae15096657ee61890c985a0443ca8412f9ffba727c07093433cb14bb
Malware Config
Extracted
metasploit
windows/reverse_tcp
192.168.0.13:4444
Extracted
metasploit
windows/shell_bind_tcp
Targets
-
-
Target
43a1a231b2adbe6e91968b7afcbefb9bc294dde1b424d414a5484c9474615d8c
-
Size
1.2MB
-
MD5
d18a2e17f286159742d1f04992713c37
-
SHA1
31a13827bb88b0168d8d3a189eb156579f88fc62
-
SHA256
43a1a231b2adbe6e91968b7afcbefb9bc294dde1b424d414a5484c9474615d8c
-
SHA512
4fbabb54c88bf7897881d4b7e4018de38c18d54f2380126ad0174201a4f2d495803f9d6f4293c06f2c3bfcef890931984385c44cfa8265a2fef27b5534f09753
Score10/10-
Modifies visiblity of hidden/system files in Explorer
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
-
-
Target
bcfe3d60d486159e6f7be7125c895261e1acb505d3e822435931b390f681c696
-
Size
72KB
-
MD5
22d6dc959ead2cf5829148acebc3443b
-
SHA1
a720d7287bb02d7ef4cef403cf99d9c6466d9a55
-
SHA256
bcfe3d60d486159e6f7be7125c895261e1acb505d3e822435931b390f681c696
-
SHA512
7405ac77f2af495f983e5173cf68d353b649ea7f5badc596d66801d601454cb3944a52cd8bb72dbcc8bafc73b7e54a3524dcf9b6b1323be8c83d7a9495be11f2
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
-
-
Target
ec0b5fdabc40cd695df1646bcfd075f274965bcd6a99bf602ebff6d730067593
-
Size
42KB
-
MD5
728a137d22476b6196993d54d1224ec6
-
SHA1
b9aa95f4389c7cdea42183cf5e5ceb8a958f1288
-
SHA256
ec0b5fdabc40cd695df1646bcfd075f274965bcd6a99bf602ebff6d730067593
-
SHA512
f17c63370597f356d0341b1bdc6070589fb7169ba0b31d8466d6d106ce82e5b0990ca7829bfab14f5079a742be6d87172bfa32c9e2ff9d3950c4e4a2ecdd57d2
Score9/10-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
f22f6f84c1973dee6db5b5626a33747f1cacd3d79b6feb5417c4b813f7d29a5a
-
Size
535KB
-
MD5
ff6e6d498ceced452937c19f1b9b7775
-
SHA1
83167161f2c7c9efaddbdf4b3c46cb7cba0e1613
-
SHA256
f22f6f84c1973dee6db5b5626a33747f1cacd3d79b6feb5417c4b813f7d29a5a
-
SHA512
fbb5fb12702340212a228be90967afd5474d7992fcddcb570a1f6d5435097e2a5e9bb9ca0d5aa9d0c2c35009eb0e06df49657a77d0738ac85a77cfb862b4ecf2
Score10/10-
Modifies visiblity of hidden/system files in Explorer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
fb4a5b2640630135153b34842602421669edc7d1cf6f3f690418ff52734161b4
-
Size
66KB
-
MD5
57869f4a110c9967da3ca19b7d9586c0
-
SHA1
5b72a294bd0f35117cb47ff1f8e5a4c099d83dee
-
SHA256
fb4a5b2640630135153b34842602421669edc7d1cf6f3f690418ff52734161b4
-
SHA512
7dd5275be4dcdb0c75f11e2045bb8a5f606332b197842ea30c378279b4f8acaba34549c20c14f604cfc886aaf075209d517beccbd9f630de783537e7a1bff162
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Scheduled Task
2Defense Evasion
Hidden Files and Directories
2Modify Registry
7Install Root Certificate
2Virtualization/Sandbox Evasion
2