metasploit | 24c0626f5b64a968e1a60eeedda06961dff2b1da0e1a068da4cfc3b5d92d534c | Triage

Resubmissions

12-06-2023 09:02

230612-kznjbabb53 10

13-05-2023 14:39

230513-rz96msag5t 10

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2023 14:39

Sharing

Report Analysis Logs

General

Target

1.exe
Size

72KB
MD5

816d311e8370fc494523422a845a761a
SHA1

9cb1b0a9a8fb257a2a04cbb6d0d7ed00b37ce13d
SHA256

24c0626f5b64a968e1a60eeedda06961dff2b1da0e1a068da4cfc3b5d92d534c
SHA512

eb772cf03e989b537c0d1b48fec0cb6397cc5935752a1c106ce55bc9042631d0f1d376f54e7a0b863adc23cd7b8d5a71bc4584421abda92ec61087f6b4524fb4
SSDEEP

1536:IfWVX12L2XQdyJiNRXnaFaXjBIo4wKK90Mb+KR0Nc8QsJq39:CWvC2XdJ6aKNDzCe0Nc8QsC9

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

198.13.56.131:3789

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4364	916	1.exe	84
PID 916 wrote to memory of 4364	916	1.exe	84
PID 916 wrote to memory of 4364	916	1.exe	84

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:4364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-133-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download