General

  • Target

    482108fbb466a1a178f67e4408c0751955dd587fa56ee6f6485511c785b40b40

  • Size

    186KB

  • Sample

    241130-13jmjaxjcv

  • MD5

    b47c94d3a3f02875f66865fb0b730988

  • SHA1

    077ec3265559e3a4ba56c79013e1f5c0e494c467

  • SHA256

    482108fbb466a1a178f67e4408c0751955dd587fa56ee6f6485511c785b40b40

  • SHA512

    2c75c27fb8edebfa32f0d1d9e126046577fb41d80acf0075b2e8baa632839363f7da9d1f2d193dd0b0b055a6dac0b6da065348cd475c65d7fc2067b47e6db595

  • SSDEEP

    3072:71qgiTJiDB6t5KakPrYUYAkDl36xokKLAiC6LndU0XRcQYkI9pNh971:ziqakD9ScoKVundPOQHCVD

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      482108fbb466a1a178f67e4408c0751955dd587fa56ee6f6485511c785b40b40

    • Size

      186KB

    • MD5

      b47c94d3a3f02875f66865fb0b730988

    • SHA1

      077ec3265559e3a4ba56c79013e1f5c0e494c467

    • SHA256

      482108fbb466a1a178f67e4408c0751955dd587fa56ee6f6485511c785b40b40

    • SHA512

      2c75c27fb8edebfa32f0d1d9e126046577fb41d80acf0075b2e8baa632839363f7da9d1f2d193dd0b0b055a6dac0b6da065348cd475c65d7fc2067b47e6db595

    • SSDEEP

      3072:71qgiTJiDB6t5KakPrYUYAkDl36xokKLAiC6LndU0XRcQYkI9pNh971:ziqakD9ScoKVundPOQHCVD

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks