metasploit | 2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd

General

Target

2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
Size

4.6MB
MD5

7af59aa45d22e7af2cfe581750c309c8
SHA1

14dab6bd55c4ea06139917c6cad77e8cf4ab06d1
SHA256

2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd
SHA512

1e7ba73b657f7422930ce12e8b6fda1b48918d3de4317ddfba15ef33ad560b7d5c44fc973906a56a52c2bdaa81027ed7f1599b5fe042a24f01519d4a01898ad7
SSDEEP

98304:/DZHQcsibw8SPLeTtSQo5o8DERxrfExYz1smfNyzVa8tS6HcBV:LZwcXMHLKyTtx0lIz0t6HGV

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

10.13.1.24:5656

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Loads dropped DLL 4 IoCs

Processes:

2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

pid	process
2176	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
2176	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
2176	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
2176	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

description pid process

Token: 35 2176 2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

description	pid	process
Token: 35	2176	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

description	pid	process	target process
PID 2152 wrote to memory of 2176	2152	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
PID 2152 wrote to memory of 2176	2152	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
PID 2152 wrote to memory of 2176	2152	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
PID 2152 wrote to memory of 2176	2152	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe	2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe
"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21522\MSVCR100.dll
Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21522\base_library.zip
Filesize
717KB

MD5
df1d3f647a03d12f51b2639d21d8f3f5

SHA1
3297a097bff9cdff5ddbf89053f08d78dbf97d04

SHA256
186b2cc73b338daf2472c93b5de24292bc5828d22e6ba0ad8f9e7422ad69a3b7

SHA512
c5a19e716ae5b9e18f5906df8d92c87bd213760caf22930a77d9e8324d80a3d072775e6df5f05581e96545c81f0cf3acbafd390a4968c6a2ffb133094c2d1bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21522\payload.exe.manifest
Filesize
1KB

MD5
fdae7492d1832efe2dc4baeaa92a4514

SHA1
c78c6f7bf029f6fd004322f579321e83b5071873

SHA256
80a743012f5fb4dd39aaa3de75d919812ff75754940582bbf12627fb8a31f40b

SHA512
5ae0d6be6d6d84f82741bb9f5e5b4c5ce5d8def1d14b279941c71f81c2b38be20fe5f94454c26930a245afec93bc792de3e168abbc87acc55a5881898c3c84f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21522\python34.dll
Filesize
2.6MB

MD5
10f32f75b689d2a513865800f4d2f541

SHA1
369186600de0ee1f51edaa4943b87382237107a3

SHA256
9f3d6960d2a502ea6f2e108556597ec7c1fe1b590ee40d46662ce5fc0ddc9391

SHA512
f0f1d3b4b4d77320d148a332e224ac203b0adf24f744825bcf19012d08ec83ed91ac5ab5e5e0eecad5d13a7898302b7ccc393460caa4c837d4a896863fc8f5c7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21522\Crypto.Cipher._AES.pyd
Filesize
29KB

MD5
3c4ab2e06feb6e4ca1b7a1244055671a

SHA1
a4c3c44b45248b7cf53881e6d8efa8d557e100a9

SHA256
c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

SHA512
7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21522\_ctypes.pyd
Filesize
83KB

MD5
5d1bc1be2f02b4a2890e921af15190d2

SHA1
057c88438b40cd8e73554274171341244f107139

SHA256
97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

SHA512
9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

Download Submit
memory/2152-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2176-25-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2176-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing