metasploit | 6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39

General

Target

6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe
Size

4.6MB
MD5

2a2f7842b3dc5ee4b6c2f6d225dcb6dc
SHA1

49edab8d0c81f7554aa236155f80172393a2df75
SHA256

6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39
SHA512

2d83cc70b880e041a065f2c24f418ed786dae5258604caab8cc007fbcf799917a15d52764057123af7edd919be13b34a8b81102e5e1bfc7d3b30478ee5aaa73c
SSDEEP

98304:/PuHQcsibw8SPLeTtSQo5Z8DERxrfExYzrR3nk8Y5TfvtJK:nuwcXMHLKy6txmxk8sJK

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.198.129:6666

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Loads dropped DLL 4 IoCs

pid	Process
2280	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe
2280	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe
2280	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe
2280	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	2280	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2280	2788	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe	29
PID 2788 wrote to memory of 2280	2788	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe	29
PID 2788 wrote to memory of 2280	2788	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe	29
PID 2788 wrote to memory of 2280	2788	6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe	29

C:\Users\Admin\AppData\Local\Temp\6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe
"C:\Users\Admin\AppData\Local\Temp\6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe
  "C:\Users\Admin\AppData\Local\Temp\6c8ed3fea4377b29b5c67935833a8daec2f4bcfc3ce60c218bf172657d2cab39.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27882\29.exe.manifest

Filesize
1KB

MD5
a37b8bbc57a5dfa3918e23020ffab6b5

SHA1
724fb676175e932db3b2e0ceeb54d8bb7a8e059b

SHA256
78675e7a2629f453d3273118b212355b12bdf7862e8bf56a6979120c0a464c67

SHA512
ab4e8a7c0701f15dd5662d05fc18fc8755bc2716cd03245ef7ec2e799bc0b6692312b96869d08fc868c065ff9f412a6baf17e520b816e1bd6dfdc12dfe9ba94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27882\Crypto.Cipher._AES.pyd

Filesize
29KB

MD5
3c4ab2e06feb6e4ca1b7a1244055671a

SHA1
a4c3c44b45248b7cf53881e6d8efa8d557e100a9

SHA256
c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

SHA512
7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27882\MSVCR100.dll

Filesize
518KB

MD5
3c7c968ec4ace88feb3f3e5ed68917a7

SHA1
99be4fe601ed5676a12d3ef8d2e747e3084467f1

SHA256
33611dc39aa78e61eb8c0be806539d7a6170ec1b4fa92e4f79b8739a388899a4

SHA512
f209a438d5ab3234a92b359d09b94249a6fa72868fb57376edabe5bedbe3683e6a4c19cbb13cb29becc8d9e0d66a8ab368823f9640e6b632df6062aa64e001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27882\base_library.zip

Filesize
578KB

MD5
0baa05a9805591a586e6bcf09fc9123f

SHA1
fde9fda762dad1b4bcf23fc7ad88d279621e6197

SHA256
122b3456f5c59aa5069f379f2e17b2828171cdac58afbe750b1b20e42eb62b4f

SHA512
8dee6a342c88450af57fdb0278817cf52006641c4ece3209305287fc394a49edfa6b33a4f10ca165becb9548fdc2bf0ebfcb625b2d694785c87aae5d08c3ba7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27882\python34.dll

Filesize
1.9MB

MD5
c0a88d45ade82d8fc1193242a7f409db

SHA1
765591a593096d527021c3c46962049b7eb5d27a

SHA256
b2d313aa1f1879f72bd3066b1df858fb32174e957d419929dee2840dcab5d7c6

SHA512
a8917bbb5361bc5716ca1865ee950aeab6eaf9584d6799dc1368a49881cea940396b27a6905c921aeff9f672ac88f578889a4349fd54d9bbe6ebd00424ff7111

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27882\MSVCR100.dll

Filesize
510KB

MD5
12f935999875cf763888b36ed62995d8

SHA1
bb0678cd70c077eeffe4348c8e91dbf756618c0c

SHA256
44ecf1db5bab2dd9c7762438ad0481be15b840ee0fad0ccea9c083b011b96acd

SHA512
3dc829ec261f6d849c2eae392ae6c6a8ba0180748f5cc89b3156c00d4ac5f927825681d62f037e0596287b9dd1c96aba1861818c7b002fd08b9862bb82c06901

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27882\_ctypes.pyd

Filesize
83KB

MD5
5d1bc1be2f02b4a2890e921af15190d2

SHA1
057c88438b40cd8e73554274171341244f107139

SHA256
97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

SHA512
9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27882\python34.dll

Filesize
917KB

MD5
5c72ad46dbd0199991933a1df896d552

SHA1
ca374724235609dc3ba3f4ee28ec465c2be6f324

SHA256
a3099e63f715fefa7086c4f55ee879c29a3fca0065474f43a32ae38c8c2c18a8

SHA512
50560b28ae23b0db5e1e413f912ecacf0056f2db774c6ad4eb3a51c1b3fb43696a5f205a6521a3dbe72ab30d06462d96aa963db1a08b46652d2b413b0aa1f518

Download Submit
memory/2280-25-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2280-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2788-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads