Malware Analysis Report

2024-10-18 21:32

Sample ID 240520-mcs7dsfg6v
Target 2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd
SHA256 2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd
Tags
pyinstaller metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd

Threat Level: Known bad

The file 2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd was found to be: Known bad.

Malicious Activity Summary

pyinstaller metasploit backdoor trojan

MetaSploit

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 10:19

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 10:19

Reported

2024-05-20 10:22

Platform

win7-20231129-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"

C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"

Network

Country Destination Domain Proto
N/A 10.13.1.24:5656 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21522\payload.exe.manifest

MD5 fdae7492d1832efe2dc4baeaa92a4514
SHA1 c78c6f7bf029f6fd004322f579321e83b5071873
SHA256 80a743012f5fb4dd39aaa3de75d919812ff75754940582bbf12627fb8a31f40b
SHA512 5ae0d6be6d6d84f82741bb9f5e5b4c5ce5d8def1d14b279941c71f81c2b38be20fe5f94454c26930a245afec93bc792de3e168abbc87acc55a5881898c3c84f1

C:\Users\Admin\AppData\Local\Temp\_MEI21522\python34.dll

MD5 10f32f75b689d2a513865800f4d2f541
SHA1 369186600de0ee1f51edaa4943b87382237107a3
SHA256 9f3d6960d2a502ea6f2e108556597ec7c1fe1b590ee40d46662ce5fc0ddc9391
SHA512 f0f1d3b4b4d77320d148a332e224ac203b0adf24f744825bcf19012d08ec83ed91ac5ab5e5e0eecad5d13a7898302b7ccc393460caa4c837d4a896863fc8f5c7

C:\Users\Admin\AppData\Local\Temp\_MEI21522\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

\Users\Admin\AppData\Local\Temp\_MEI21522\_ctypes.pyd

MD5 5d1bc1be2f02b4a2890e921af15190d2
SHA1 057c88438b40cd8e73554274171341244f107139
SHA256 97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da
SHA512 9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

\Users\Admin\AppData\Local\Temp\_MEI21522\Crypto.Cipher._AES.pyd

MD5 3c4ab2e06feb6e4ca1b7a1244055671a
SHA1 a4c3c44b45248b7cf53881e6d8efa8d557e100a9
SHA256 c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23
SHA512 7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

memory/2176-25-0x0000000000530000-0x0000000000531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI21522\base_library.zip

MD5 df1d3f647a03d12f51b2639d21d8f3f5
SHA1 3297a097bff9cdff5ddbf89053f08d78dbf97d04
SHA256 186b2cc73b338daf2472c93b5de24292bc5828d22e6ba0ad8f9e7422ad69a3b7
SHA512 c5a19e716ae5b9e18f5906df8d92c87bd213760caf22930a77d9e8324d80a3d072775e6df5f05581e96545c81f0cf3acbafd390a4968c6a2ffb133094c2d1bcb

memory/2152-27-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2176-28-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 10:19

Reported

2024-05-20 10:22

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"

C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe

"C:\Users\Admin\AppData\Local\Temp\2eb58b5eecb7d846b4bfbe1d240d86a18f110573c969e2dc004c89b6ade171fd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 10.13.1.24:5656 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI47802\payload.exe.manifest

MD5 fdae7492d1832efe2dc4baeaa92a4514
SHA1 c78c6f7bf029f6fd004322f579321e83b5071873
SHA256 80a743012f5fb4dd39aaa3de75d919812ff75754940582bbf12627fb8a31f40b
SHA512 5ae0d6be6d6d84f82741bb9f5e5b4c5ce5d8def1d14b279941c71f81c2b38be20fe5f94454c26930a245afec93bc792de3e168abbc87acc55a5881898c3c84f1

C:\Users\Admin\AppData\Local\Temp\_MEI47802\python34.dll

MD5 10f32f75b689d2a513865800f4d2f541
SHA1 369186600de0ee1f51edaa4943b87382237107a3
SHA256 9f3d6960d2a502ea6f2e108556597ec7c1fe1b590ee40d46662ce5fc0ddc9391
SHA512 f0f1d3b4b4d77320d148a332e224ac203b0adf24f744825bcf19012d08ec83ed91ac5ab5e5e0eecad5d13a7898302b7ccc393460caa4c837d4a896863fc8f5c7

C:\Users\Admin\AppData\Local\Temp\_MEI47802\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI47802\Crypto.Cipher._AES.pyd

MD5 3c4ab2e06feb6e4ca1b7a1244055671a
SHA1 a4c3c44b45248b7cf53881e6d8efa8d557e100a9
SHA256 c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23
SHA512 7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

C:\Users\Admin\AppData\Local\Temp\_MEI47802\_ctypes.pyd

MD5 5d1bc1be2f02b4a2890e921af15190d2
SHA1 057c88438b40cd8e73554274171341244f107139
SHA256 97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da
SHA512 9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

C:\Users\Admin\AppData\Local\Temp\_MEI47802\base_library.zip

MD5 df1d3f647a03d12f51b2639d21d8f3f5
SHA1 3297a097bff9cdff5ddbf89053f08d78dbf97d04
SHA256 186b2cc73b338daf2472c93b5de24292bc5828d22e6ba0ad8f9e7422ad69a3b7
SHA512 c5a19e716ae5b9e18f5906df8d92c87bd213760caf22930a77d9e8324d80a3d072775e6df5f05581e96545c81f0cf3acbafd390a4968c6a2ffb133094c2d1bcb

memory/4784-25-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/4780-27-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4784-28-0x0000000000400000-0x0000000000430000-memory.dmp