Extracted

• • Target

    702639c970cd22d7251b63cef004509c9fba742419c9ff8f818b5d47ded8f9ce

  • Size

    180KB

  • MD5

    d6abdf9845d5948f814b72d5397446d5

  • SHA1

    9880a216e2a36c7ada39ea1b580a5661aa2ac14a

  • SHA256

    702639c970cd22d7251b63cef004509c9fba742419c9ff8f818b5d47ded8f9ce

  • SHA512

    783c477442e3d7869f6252bb0201bdc54c72ea8deb28e169f20e05aa20c8306118dd697d7737c8aaa5e32abd9ccfc2311c7f49e64011b507881231c2ff3b2f51

  • SSDEEP

    3072:iO0j0EfPM5qpeCVV34Ay4rlLSJ1MVoCMnxZUfUKIAtC4HS13BJQWwsS+ArxoKTIH:n0j0EfP+qgSV3ty5JGMxmfUK5gOWwsSk

  Score

  10^/10

  metasploitbackdoorevasionpersistencetrojanupx

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Modifies firewall policy service

    evasion

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2