General

  • Target

    6d47b57641c1a77dfee5936f57acd3a5

  • Size

    192KB

  • Sample

    240121-pddjfadab4

  • MD5

    6d47b57641c1a77dfee5936f57acd3a5

  • SHA1

    0b18c34470f2bf4a842682d6ed4b8842e275b89f

  • SHA256

    85057d4de7a020aa015e2ffec53288027ce475e3df426e462bb7beffbab91ca6

  • SHA512

    d593236dcab8d2e38c20c05621f12374ec7033108778f687a46204630bf92ebccd320d8cab27cbb1dab8c281ff5b675f14500345289178a5f7bb2182d0d6d485

  • SSDEEP

    3072:JpLBJINfkw8GlYsWJYmi1uUF0HprVtWKBMR7PlPB2:JZ812WOph/MRT58

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      6d47b57641c1a77dfee5936f57acd3a5

    • Size

      192KB

    • MD5

      6d47b57641c1a77dfee5936f57acd3a5

    • SHA1

      0b18c34470f2bf4a842682d6ed4b8842e275b89f

    • SHA256

      85057d4de7a020aa015e2ffec53288027ce475e3df426e462bb7beffbab91ca6

    • SHA512

      d593236dcab8d2e38c20c05621f12374ec7033108778f687a46204630bf92ebccd320d8cab27cbb1dab8c281ff5b675f14500345289178a5f7bb2182d0d6d485

    • SSDEEP

      3072:JpLBJINfkw8GlYsWJYmi1uUF0HprVtWKBMR7PlPB2:JZ812WOph/MRT58

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks