General
-
Target
http://89.197.154.116/?C=M;O=D
-
Sample
250128-3hnrvsvjav
Malware Config
Extracted
metasploit
windows/reverse_tcp
89.197.154.116:7810
Extracted
metasploit
windows/reverse_http
http://89.197.154.116:7810/nBToDGkEDccfmB6ZeN43LQts7hqNmqK_VX6-BS_IVcYCHoHiRq6AeDd6kmpK5K0ObUA4rfqWhqBnvB2uqyvfpzC8kCkjBTik2XoX-VuJYRtjnHqR
http://89.197.154.116:7810/sAF-Hb95OwOLTYpM7ZXwsQgEsvql3Gx6MJHfuQr8QdwRJXB7q4FYyI56qJG8zalB7qPf9Y2DgF4HohAo9zZHz5J6zulBUXtWgnGnggNFcsQikjL-e4grXzBikSLYainJD3tOK89zCOd7pp_0QdfoIKV-SRaleGy4oAkHR88EUwiPE3f6RWY6sd_-jrWrlj6IYEPUIMX_HdfnJMl8JutjGmpCb_ZVWaaX-Cv_abnB6xtSAMLOAGeP3lCuVD
Extracted
metasploit
windows/download_exec
http://192.168.180.12:7810/eTKX
- headers User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Targets
-
-
Target
http://89.197.154.116/?C=M;O=D
Score10/10-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
mimikatz is an open source tool to dump credentials on Windows
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-