metasploit | d6f91424d9ddcd934eca5d2e3fb65dba42b4c2ec3ce1a9f5e90f19e0b0b70dc6

Analysis

max time kernel
0s
max time network
1s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe
Size

4.8MB
MD5

38531f553d3fbb005986a8dc1918a3d7
SHA1

5094614a0de1fa6715f768eaa62aaaf71f5edddd
SHA256

d6f91424d9ddcd934eca5d2e3fb65dba42b4c2ec3ce1a9f5e90f19e0b0b70dc6
SHA512

c283afc7903eebc32daf2b297d9356c25c611c8355169a4ecc14e8a3ba2158917363f43a221836e704da42b256f90d70a854aebd14b402ce5004ef00cfe1d567
SSDEEP

98304:Knsmtk2a9pCd614yoqkcpDcL6o2mpQ5ZuzM/Vy1adhZ0HMvP2JQgD8PFyJgRqTS9:ELCBVovcdcL9tpQezKVJdhZIS+JQgDm9

Score

10^/10

metasploit xred backdoor discovery trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.206.130:6666

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2372	2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2372	2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2372
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe"
  2⤵
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_38531f553d3fbb005986a8dc1918a3d7_amadey_cobalt-strike_smoke-loader.exe

Filesize
72KB

MD5
8d31616cfd91970715bfdbdf11a71bdd

SHA1
643783e9619cf5160eb83da3464be51a3c0a7877

SHA256
f6d976dfa966f7e7130a9cdd842e1894aae8361e659fc20159e00c87503310e5

SHA512
fce02f48f4884174eb9725e0d507b5b77c6ce1a123c1bcb6a7ccfba24820199321ab0ef373135fdb5b3549803e39ff2999fd427bef22d7f75bca4bd912d8ff5d

Download Submit
memory/2372-0-0x00000000004A5000-0x00000000006CF000-memory.dmp

Filesize
2.2MB

Download
memory/2372-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2372-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2372-8-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download