General
-
Target
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22
-
Size
516KB
-
Sample
220708-y3s5vshhd6
-
MD5
0d468d8b2a1f7f599575a60378554192
-
SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d
-
SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22
-
SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747
Static task
static1
Behavioral task
behavioral1
Sample
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Targets
-
-
Target
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22
-
Size
516KB
-
MD5
0d468d8b2a1f7f599575a60378554192
-
SHA1
2b3b2c9faf513e262ad623bd3c21ee4cc1a4ad2d
-
SHA256
4048086659a25f46c3bbe14643948d28ba004a68407476c5e8b95dfeca458b22
-
SHA512
b009e1ff811fa525591ea9259b4c0d7b5e10c914dc8f8be7f0d6843c1beadf79305a96f60ad752922af95d25ef90adfa7c7485d9467130b44920faba9d11b747
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-