Malware Analysis Report

2025-08-06 04:05

Sample ID 240121-vx68rafabr
Target 6d988bbda5ef54637b3ea71bf4e1c20a
SHA256 39fe6e7592a827fba416a4f7b1f510fceee01b0630e6e64ec11a59c178e1eb9a
Tags
pyinstaller metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39fe6e7592a827fba416a4f7b1f510fceee01b0630e6e64ec11a59c178e1eb9a

Threat Level: Known bad

The file 6d988bbda5ef54637b3ea71bf4e1c20a was found to be: Known bad.

Malicious Activity Summary

pyinstaller metasploit backdoor trojan

MetaSploit

Loads dropped DLL

Unsigned PE

Detects Pyinstaller

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-21 17:23

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 17:23

Reported

2024-01-21 17:25

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe

"C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe"

C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe

"C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe"

Network

Country Destination Domain Proto
TR 85.100.86.99:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI19682\payload.exe.manifest

MD5 c6448fee978bae358e5b4fac9245e0fc
SHA1 dbd9ff334cefbc1d5f534b0b80e6217f2524f766
SHA256 4ba2fd7a4774518d5b0023eca95f9962cc5ffa06d98ffa64885ae31f36291d65
SHA512 6450b3fe57b2661ecdbffe4c70f8900383ebb49eea4bc2cbb36f49fa5f6118e7fda75a7f046db4d6408414c5369e5241d8f72d45d2845d918cf1e5900c1c8648

C:\Users\Admin\AppData\Local\Temp\_MEI19682\python27.dll

MD5 60248140a9298365d072d8f2af9bbb7f
SHA1 a1fdffd3fcb3622e1debec517c311b300098a81a
SHA256 388604ebd2568016e298082c723b077f0e58d4207eb4746572a04d7f15fbe98f
SHA512 8208691f1e08d851a0bb8698424869013070d25b21d74157e7c01b691f88b5fe6f05072ae46fb943af7d0a2b4b8b86b7a0b81c89525a04f8a5b3d946b9fa3b3a

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto.Cipher._AES.pyd

MD5 dd3db5480eb52e8f69d47f3b725e6bfb
SHA1 cb14cda7f5e3e2b88c823e4d15643680398b361e
SHA256 51054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe
SHA512 c94216dcd0dc3000304b2b4704dd29bfeed35c9b6158d3ff1cc86084a1753060b72bd48678d5662c8e10205e1a866361f7a455f177dbf364814ee317679bff23

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\_ctypes.pyd

MD5 c5422db93c5fd74e09db36ddf975da9e
SHA1 023c33abd230ff3a546283da64a782eb9a7d257d
SHA256 96846a901d0d793fb77ff0b6488a904dc675a8d5273a442888d41d9a32bb845b
SHA512 169456c06a7e7c3bd63bfa0c88a90a0bbbf9866f142d103b8c2ca31507fa86e0782d76406b5769defd02323d2df6eaaab42559b9437668d466e370414d96a962

memory/2196-19-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1968-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2196-21-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2196-41-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1968-50-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 17:23

Reported

2024-01-21 17:25

Platform

win10v2004-20231222-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe

"C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe"

C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe

"C:\Users\Admin\AppData\Local\Temp\6d988bbda5ef54637b3ea71bf4e1c20a.exe"

Network

Country Destination Domain Proto
TR 85.100.86.99:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI30962\payload.exe.manifest

MD5 c6448fee978bae358e5b4fac9245e0fc
SHA1 dbd9ff334cefbc1d5f534b0b80e6217f2524f766
SHA256 4ba2fd7a4774518d5b0023eca95f9962cc5ffa06d98ffa64885ae31f36291d65
SHA512 6450b3fe57b2661ecdbffe4c70f8900383ebb49eea4bc2cbb36f49fa5f6118e7fda75a7f046db4d6408414c5369e5241d8f72d45d2845d918cf1e5900c1c8648

C:\Users\Admin\AppData\Local\Temp\_MEI30962\python27.dll

MD5 9b3f51bc28c17558f24f040daeaa7ec8
SHA1 faf6f5da4a10c0b197b03c87b4cc1b656e74ac40
SHA256 8d12d1c65a8c3f448d71268b4d000d9227f6ed4c50b433f2d81c4445e8f55559
SHA512 cdb41db1879a6299f0dabe9d4e15efa6e969f73879cd986ae537d25926cdca648345570e6afa7f835200f9fb63177e3180d7e7ac5cd60c7ac42f23239700d7fd

C:\Users\Admin\AppData\Local\Temp\_MEI30962\python27.dll

MD5 c73b05508232fcabf58f3850b8ac64b4
SHA1 6606108eb929b91fc6edab9df3abd81620764765
SHA256 ed2ce8b40b7025267344f0773d694b980ffa7810e0b57e6dca105e1d7925a673
SHA512 4967950fdfdf94b8f974cc232049e8340f7be7259a125777a21b890a9064ce81a31a47d5ca72b6d3335e7b6a10dee4f58a3a66814634f162ab75d60cf46b6d4b

C:\Users\Admin\AppData\Local\Temp\_MEI30962\Crypto.Cipher._AES.pyd

MD5 dd3db5480eb52e8f69d47f3b725e6bfb
SHA1 cb14cda7f5e3e2b88c823e4d15643680398b361e
SHA256 51054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe
SHA512 c94216dcd0dc3000304b2b4704dd29bfeed35c9b6158d3ff1cc86084a1753060b72bd48678d5662c8e10205e1a866361f7a455f177dbf364814ee317679bff23

C:\Users\Admin\AppData\Local\Temp\_MEI30~1\_ctypes.pyd

MD5 c5422db93c5fd74e09db36ddf975da9e
SHA1 023c33abd230ff3a546283da64a782eb9a7d257d
SHA256 96846a901d0d793fb77ff0b6488a904dc675a8d5273a442888d41d9a32bb845b
SHA512 169456c06a7e7c3bd63bfa0c88a90a0bbbf9866f142d103b8c2ca31507fa86e0782d76406b5769defd02323d2df6eaaab42559b9437668d466e370414d96a962

memory/4460-19-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/3096-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4460-21-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3096-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4460-41-0x0000000000400000-0x0000000000430000-memory.dmp