Overview

overview

10

Static

static

10

de64f766c5...eb.dll

windows7-x64

10

de64f766c5...eb.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb.dll

  • Size

    71KB

  • MD5

    05d0dbfe2b283d68835bad401b2d1f29

  • SHA1

    f05d782d30707b43e924a3839aeaa93aea64e77a

  • SHA256

    de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb

  • SHA512

    a22d84d88cf938fe421e43e02be54449d99926de00664cd20d4d2aa6f5206789c69177db891169f2597a1648e28bddbdbd2c345df51c2f075698a0213773809e

  • SSDEEP

    1536:otNzVQFop4QflDN7rdWkfrZZgsWccdl/AToP08Y:yDRptlDN7Jfrjcl/ATc08Y

Score
10/10
metasploitbackdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://90aaaeb62492.ngrok.io:80/Th2n

Attributes
  • headers User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Blocklisted process makes network request 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\de64f766c5148db03d216ee7b88ba1ab51b74e4b34aa6ef7315882d0881c71eb.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1796
        3⤵
        • Program crash
        PID:3436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 748 -ip 748
    1⤵
      PID:3096

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/748-0-0x0000000000940000-0x0000000000941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-7-0x0000000004310000-0x0000000004710000-memory.dmp
      Filesize

      4.0MB

      Download