metasploit | 44d90bc60c6cff9d3ea06b2b3057326f594b7662e2154a1595c816ec730e2555

Sharing

Copy URL Twitter E-mail

General

Target

44d90bc60c6cff9d3ea06b2b3057326f594b7662e2154a1595c816ec730e2555
Size

4.0MB
MD5

3215f75026989732e863feb0304d487f
SHA1

af248cbf78c177ed42079f6cc6bbcb1b0587898b
SHA256

44d90bc60c6cff9d3ea06b2b3057326f594b7662e2154a1595c816ec730e2555
SHA512

438e93e084d11bda157d8ff19254eb626a78b4812ef13b1ddb5cd09be295a59e7936bdf724453dbca1050cd0fad054d5dcdb053b85b293764acb55f743d9e8c4
SSDEEP

49152:1h7MpqhDbgYpcmzXY7IHEUWPstn5XPJa+JAd0j+CrU9aHeUyDujknPEhhFzhlFt6:77Mp2RdsA5X4aPvJNhh/lSYtQ

Score

10^/10

metasploit

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

192.168.1.0:4445

Signatures

Metasploit family
metasploit

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
44d90bc60c6cff9d3ea06b2b3057326f594b7662e2154a1595c816ec730e2555

Files

44d90bc60c6cff9d3ea06b2b3057326f594b7662e2154a1595c816ec730e2555
.exe windows:6 windows x86 arch:x86

2372a510663575e218ece860e8ec85bb

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\jenkins\FCT0\GIT_CLONE_PARENT\FortiClientHS\service\FCInstallerLight\full\Win32\Release\FortiClientInstaller.pdb

Imports

kernel32

VerSetConditionMask
GetCommandLineW
DecodePointer
CloseHandle
RaiseException
GetLastError
SetLastError
InitializeCriticalSectionEx
DeleteCriticalSection
CreateMutexW
OpenMutexW
GetCurrentProcess
GetCurrentProcessId
OpenProcess
GetSystemDirectoryW
FreeLibrary
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
LoadLibraryExW
LoadResource
SizeofResource
SetDefaultDllDirectories
LocalFree
lstrcmpiW
LoadLibraryW
FindResourceW
SetSearchPathMode
VerifyVersionInfoW
MultiByteToWideChar
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
SetFileAttributesW
SetEvent
WaitForSingleObject
CreateEventW
TerminateThread
ProcessIdToSessionId
Sleep
CreateThread
GetTickCount
WaitForMultipleObjects
GetTimeZoneInformation
WideCharToMultiByte
GetLocaleInfoW
ExpandEnvironmentStringsW
SetCurrentDirectoryW
CreateDirectoryW
GetFullPathNameW
GetTempPathW
CancelIo
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetWaitableTimer
CancelWaitableTimer
GetCurrentThreadId
GetVersionExW
CreateWaitableTimerW
GetUserDefaultLCID
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
GetEnvironmentVariableW
SearchPathW
CreateFileW
GetCurrentDirectoryW
GetFileSize
QueryPerformanceCounter
ReadFile
GetFileSizeEx
FileTimeToSystemTime
DeviceIoControl
CreateNamedPipeW
WaitForMultipleObjectsEx
ReleaseMutex
DisconnectNamedPipe
OutputDebugStringW
ResetEvent
GetOverlappedResult
ConnectNamedPipe
FlushFileBuffers
GetLongPathNameW
K32EnumProcesses
GetWindowsDirectoryW
WTSGetActiveConsoleSessionId
GetComputerNameW
CreateProcessW
GetVolumeInformationW
SetThreadLocale
GetUserDefaultUILanguage
GetACP
LocalAlloc
SetNamedPipeHandleState
WriteFile
WaitNamedPipeW
TlsSetValue
GetFullPathNameA
UnmapViewOfFile
GetLogicalDriveStringsW
GetFileAttributesExW
TlsAlloc
TlsGetValue
CreateFileMappingW
MapViewOfFile
GetDriveTypeW
QueryDosDeviceW
GetLogicalDrives
FindFirstVolumeMountPointW
FindFirstVolumeW
HeapFree
FindVolumeMountPointClose
TerminateProcess
K32GetModuleFileNameExW
GetVolumePathNameW
HeapSize
GetVolumeNameForVolumeMountPointW
FindNextVolumeMountPointW
HeapReAlloc
HeapAlloc
HeapDestroy
ReadProcessMemory
FindVolumeClose
GetProcessHeap
FindNextVolumeW
OpenThread
OpenEventW
GetSystemDirectoryA
GetLocalTime
GetCurrentThread
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
WaitForSingleObjectEx
IsDebuggerPresent
GetStartupInfoW
GetSystemTimeAsFileTime
InitializeSListHead
EncodePointer
InterlockedPopEntrySList
InterlockedPushEntrySList
FlushInstructionCache
VirtualAlloc
VirtualFree
SetConsoleMode
GetSystemTime
SystemTimeToFileTime
FormatMessageA
GetStringTypeW
GetLocaleInfoEx
FindFirstFileExW
GetDiskFreeSpaceExW
GetFileInformationByHandle
GetFinalPathNameByHandleW
SetFileInformationByHandle
SetFileTime
AreFileApisANSI
CreateDirectoryExW
CopyFileW
MoveFileExW
CreateHardLinkW
GetFileInformationByHandleEx
CreateSymbolicLinkW
QueryPerformanceFrequency
LCMapStringEx
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
InitOnceExecuteOnce
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
CreateEventExW
CreateSemaphoreExW
FlushProcessWriteBuffers
GetCurrentProcessorNumber
GetTickCount64
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
CompareStringEx
GetCPInfo
RtlUnwind
InterlockedFlushSList
TlsFree
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
GetStdHandle
SetFilePointerEx
GetConsoleMode
ReadConsoleW
GetConsoleCP
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
IsValidLocale
EnumSystemLocalesW
SetStdHandle
SetEndOfFile
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
SetConsoleCtrlHandler
OutputDebugStringA
WriteConsoleW
VirtualLock
SwitchToFiber
DeleteFiber
CreateFiberEx
LoadLibraryA
ConvertFiberToThread
ConvertThreadToFiberEx
GlobalMemoryStatus
ReadConsoleA

ncrypt

BCryptGenRandom

Exports

Exports

BeginHttpRequest
BeginHttpResponse
FCP_add_param
FCP_append_objdata_ff
FCP_break_obj_header
FCP_breakup_data_item
FCP_calculate_obj_head_chksum
FCP_chk_partial_obj_files
FCP_cleanup
FCP_clear_object_storage
FCP_clear_package
FCP_clear_params
FCP_clear_request
FCP_clear_response
FCP_combine_params
FCP_create_package_hdr
FCP_del_param
FCP_delete_file
FCP_get_file_size
FCP_get_obj_resume_info
FCP_get_object_desc
FCP_get_param
FCP_init_object_storage
FCP_init_package
FCP_init_params
FCP_init_request
FCP_init_request_for_sending
FCP_init_response
FCP_init_response_for_sending
FCP_initialize
FCP_load_object
FCP_load_package
FCP_pack_obj
FCP_parse_params
FCP_recv_request
FCP_recv_response
FCP_send_n_recv
FCP_send_object
FCP_send_request
FCP_send_response
FCP_set_param
FCP_unpack_obj
FCP_unpack_obj_ff
FCP_unpack_obj_fnfn
FCP_verify_object_hdr
FCP_verify_package_hdr
FR_cleanup
FR_close
FR_connect
FR_connected
FR_get_local_addr
FR_initialize
FR_read
FR_write

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 737KB - Virtual size: 736KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 168KB - Virtual size: 167KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 139KB - Virtual size: 139KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

2372a510663575e218ece860e8ec85bb

Headers

File Characteristics

PDB Paths

Imports

kernel32

ncrypt

Exports

Exports

Sections

.text Size: 3.0MB - Virtual size: 3.0MB

.rdata Size: 737KB - Virtual size: 736KB

.data Size: 19KB - Virtual size: 45KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 168KB - Virtual size: 167KB

.reloc Size: 139KB - Virtual size: 139KB

.text
Size: 3.0MB - Virtual size: 3.0MB

.rdata
Size: 737KB - Virtual size: 736KB

.data
Size: 19KB - Virtual size: 45KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 168KB - Virtual size: 167KB

.reloc
Size: 139KB - Virtual size: 139KB