Malware Analysis Report

2024-09-23 03:50

Sample ID 240526-rn4jqaaa73
Target 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362
SHA256 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362
Tags
metasploit backdoor trojan pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362

Threat Level: Known bad

The file 92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan pyinstaller

MetaSploit

Loads dropped DLL

Unsigned PE

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-26 14:21

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 14:21

Reported

2024-05-26 14:23

Platform

win7-20240215-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe

"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"

C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe

"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"

Network

Country Destination Domain Proto
N/A 192.168.188.128:5577 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI3842\1.exe.manifest

MD5 0438cd033a562d3185f556f430fe722a
SHA1 aa2b55ac2476df339f8d3136f20a5709bde0f69c
SHA256 b49026e09006b519c4168f37c6311a92738592d5ba6451975c183caaa150f0e5
SHA512 f80657ed9481c38505fe1358fabb6b54e9b29cac28bf3219e0124420e30bec28a5c3e50e883d8465f6d7437a433b0ce730f1b37e8890acaded9f5bda4a817b43

C:\Users\Admin\AppData\Local\Temp\_MEI3842\python34.dll

MD5 4ee1ea91b7263bed66ff01bc80649e90
SHA1 a93b548933b291c13bb2e7cbc0c17409d2f875a4
SHA256 0f14047ea66eae192a9750f7b0e329873e8b554de58ca332c9acbdc4d63e10e3
SHA512 ef52f934aa39b5d6c6f152a9b5a159957e68471d117bd002330ee18d9143987d79dd7bce9208ce0ffb0699acb05169a15ed75d2ce4128e52e31b7f60f3ee51a4

C:\Users\Admin\AppData\Local\Temp\_MEI3842\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI3842\base_library.zip

MD5 cdf57168a1995b187681efea85b33500
SHA1 1e852b89fbd1adf4abc5135dbf7fbba53d3f38ec
SHA256 18a0fa1644ac09334dae491a5be7973b927a95ab7fcc8e8828ccbb249a5ed369
SHA512 9082951c3889d94e271f564893781f697ed2de5edfa9a033f7531a172d6349c14d23666f1b1857c09979d5518f19d7096bd7c3719d7e3302aa9eb92374c63e1e

C:\Users\Admin\AppData\Local\Temp\_MEI3842\Crypto.Cipher._AES.pyd

MD5 3c4ab2e06feb6e4ca1b7a1244055671a
SHA1 a4c3c44b45248b7cf53881e6d8efa8d557e100a9
SHA256 c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23
SHA512 7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

C:\Users\Admin\AppData\Local\Temp\_MEI3842\_ctypes.pyd

MD5 5d1bc1be2f02b4a2890e921af15190d2
SHA1 057c88438b40cd8e73554274171341244f107139
SHA256 97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da
SHA512 9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

memory/2056-25-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/384-27-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2056-28-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 14:21

Reported

2024-05-26 14:23

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe

"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"

C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe

"C:\Users\Admin\AppData\Local\Temp\92aa56502b7643248c5dcae5d1391bf7aa60065a153f58c35b46fe679f7eb362.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 192.168.188.128:5577 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI6242\1.exe.manifest

MD5 0438cd033a562d3185f556f430fe722a
SHA1 aa2b55ac2476df339f8d3136f20a5709bde0f69c
SHA256 b49026e09006b519c4168f37c6311a92738592d5ba6451975c183caaa150f0e5
SHA512 f80657ed9481c38505fe1358fabb6b54e9b29cac28bf3219e0124420e30bec28a5c3e50e883d8465f6d7437a433b0ce730f1b37e8890acaded9f5bda4a817b43

C:\Users\Admin\AppData\Local\Temp\_MEI6242\python34.dll

MD5 4ee1ea91b7263bed66ff01bc80649e90
SHA1 a93b548933b291c13bb2e7cbc0c17409d2f875a4
SHA256 0f14047ea66eae192a9750f7b0e329873e8b554de58ca332c9acbdc4d63e10e3
SHA512 ef52f934aa39b5d6c6f152a9b5a159957e68471d117bd002330ee18d9143987d79dd7bce9208ce0ffb0699acb05169a15ed75d2ce4128e52e31b7f60f3ee51a4

C:\Users\Admin\AppData\Local\Temp\_MEI6242\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\_MEI6242\base_library.zip

MD5 cdf57168a1995b187681efea85b33500
SHA1 1e852b89fbd1adf4abc5135dbf7fbba53d3f38ec
SHA256 18a0fa1644ac09334dae491a5be7973b927a95ab7fcc8e8828ccbb249a5ed369
SHA512 9082951c3889d94e271f564893781f697ed2de5edfa9a033f7531a172d6349c14d23666f1b1857c09979d5518f19d7096bd7c3719d7e3302aa9eb92374c63e1e

C:\Users\Admin\AppData\Local\Temp\_MEI6242\Crypto.Cipher._AES.pyd

MD5 3c4ab2e06feb6e4ca1b7a1244055671a
SHA1 a4c3c44b45248b7cf53881e6d8efa8d557e100a9
SHA256 c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23
SHA512 7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

C:\Users\Admin\AppData\Local\Temp\_MEI6242\_ctypes.pyd

MD5 5d1bc1be2f02b4a2890e921af15190d2
SHA1 057c88438b40cd8e73554274171341244f107139
SHA256 97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da
SHA512 9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

memory/3152-25-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/624-27-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3152-28-0x0000000000400000-0x0000000000430000-memory.dmp