metasploit | 1197dc8fab822747c6fb2cfecd917a17e45b417237a5c6a99dd3585a1d2c407d | Triage

Submit
Reports

Overview

overview

Static

static

1197dc8fab...7d.exe

windows7_x64

1197dc8fab...7d.exe

windows10-2004_x64

Sharing

General

Target

1197dc8fab822747c6fb2cfecd917a17e45b417237a5c6a99dd3585a1d2c407d
Size

229KB
Sample

220604-crzmlshgdp
MD5

94de0eca22a51386728d08d404e27338
SHA1

c605eb37c4a9503b74187051510d0cf7e43ac4cd
SHA256

1197dc8fab822747c6fb2cfecd917a17e45b417237a5c6a99dd3585a1d2c407d
SHA512

646889e0d260ff4248a47391f70a634d6852f332e6e4751d1ae9b831a7aa18bebd6f14e72a8ee76b118547995f1e512718a2bb48611795d3ca8393142dbe29c7

Score

10^/10

metasploit backdoor trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

1197dc8fab822747c6fb2cfecd917a17e45b417237a5c6a99dd3585a1d2c407d.exe

Resource

win7-20220414-en

metasploit backdoor trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

1197dc8fab822747c6fb2cfecd917a17e45b417237a5c6a99dd3585a1d2c407d.exe

Resource

win10v2004-20220414-en

metasploit backdoor trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

- Target
  
  1197dc8fab822747c6fb2cfecd917a17e45b417237a5c6a99dd3585a1d2c407d
- Size
  
  229KB
- MD5
  
  94de0eca22a51386728d08d404e27338
- SHA1
  
  c605eb37c4a9503b74187051510d0cf7e43ac4cd
- SHA256
  
  1197dc8fab822747c6fb2cfecd917a17e45b417237a5c6a99dd3585a1d2c407d
- SHA512
  
  646889e0d260ff4248a47391f70a634d6852f332e6e4751d1ae9b831a7aa18bebd6f14e72a8ee76b118547995f1e512718a2bb48611795d3ca8393142dbe29c7
Score

10^/10

metasploit backdoor trojan upx
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

metasploitbackdoortrojanupx

behavioral2

metasploitbackdoortrojanupx

© 2018-2024

Terms | Privacy