Overview

overview

10

Static

static

3

NoThreatDe...fN.exe

windows7-x64

10

NoThreatDe...fN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NoThreatDetected8c3d8916a14b4156322bb43a6e242de886e45d7ca9ff19a988d29c51ab5371cfN

  • Size

    258KB

  • Sample

    240921-f54ehaxbqp

  • MD5

    da3bf6ccc1cee7d67040d09dd4df9dc0

  • SHA1

    b4038221a5f27007c01ac8e63dead050defe57e2

  • SHA256

    8c3d8916a14b4156322bb43a6e242de886e45d7ca9ff19a988d29c51ab5371cf

  • SHA512

    a53aca59c161f26ade538995a440ddf7952e968db7a23a30517aa9a37631a7ab058a261840634b0bd6255575166d3cb32b13bf2685f02eaccd3715b2a2bb8561

  • SSDEEP

    6144:Zgs50XbdMUZjlZZH1AWupPaWo5TZ5xp5:ys6LdMUZj7hCW8C5Tvx

Score
10/10
metasploitbackdoordiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      NoThreatDetected8c3d8916a14b4156322bb43a6e242de886e45d7ca9ff19a988d29c51ab5371cfN

    • Size

      258KB

    • MD5

      da3bf6ccc1cee7d67040d09dd4df9dc0

    • SHA1

      b4038221a5f27007c01ac8e63dead050defe57e2

    • SHA256

      8c3d8916a14b4156322bb43a6e242de886e45d7ca9ff19a988d29c51ab5371cf

    • SHA512

      a53aca59c161f26ade538995a440ddf7952e968db7a23a30517aa9a37631a7ab058a261840634b0bd6255575166d3cb32b13bf2685f02eaccd3715b2a2bb8561

    • SSDEEP

      6144:Zgs50XbdMUZjlZZH1AWupPaWo5TZ5xp5:ys6LdMUZj7hCW8C5Tvx

    Score
    10/10
    metasploitbackdoordiscoverytrojanupxevasionpersistence

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies firewall policy service

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks