metasploit | db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747 | Triage

Submit
Reports

Overview

overview

Static

static

db6cea7e8d...47.exe

windows7_x64

db6cea7e8d...47.exe

windows10-2004_x64

Sharing

General

Target

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
Size

185KB
Sample

220516-x33hvsdca6
MD5

15717cd327a723820d71900611545917
SHA1

99184ec149d329e98cd3e600cfaba22a2f9a0156
SHA256

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
SHA512

a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49

Score

10^/10

metasploit backdoor evasion persistence suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe

Resource

win7-20220414-en

metasploit backdoor evasion persistence suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
- Size
  
  185KB
- MD5
  
  15717cd327a723820d71900611545917
- SHA1
  
  99184ec149d329e98cd3e600cfaba22a2f9a0156
- SHA256
  
  db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
- SHA512
  
  a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49
Score

10^/10

metasploit backdoor evasion persistence suricata trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- suricata: ET MALWARE IRC Nick change on non-standard port
  suricata: ET MALWARE IRC Nick change on non-standard port
  suricata
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Modifies Installed Components in the registry
  persistence
- Modifies Windows Firewall
  evasion
- Deletes itself
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

metasploitbackdoorevasionpersistencesuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy