metasploit | 7a286c84b6ed0e75b68d9bd2318516edd2c156df8374ac6394e8fdd34bd4e10d

Analysis

max time kernel
104s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2025, 14:32

Target

2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe
Size

2.8MB
MD5

829b23998e2e363fbdf62899e56b93fa
SHA1

d648ed8e96285dc7b38265ffd4f8a0b40cb151d2
SHA256

7a286c84b6ed0e75b68d9bd2318516edd2c156df8374ac6394e8fdd34bd4e10d
SHA512

2694edbdb320e94dfb90390e9a6ac680a24cb668223e9e1b67e8a32f610fb0175d7f09f7e7e1dffc598a7bd7f9cea74bf8b06e27d5bc91d648c1145bc80b3649
SSDEEP

49152:t61woRhtyGPTOjMjImaDRZLHNryL3eUzCa1Ci1Cz2Uo:t65tE3ByL3/9Ci1y2N

Score

10^/10

Family

metasploit

Version

metasploit_stager

192.168.0.107:4444

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 5720	2628	2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe	85
PID 2628 wrote to memory of 5720	2628	2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe	85

C:\Users\Admin\AppData\Local\Temp\2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:5720

memory/2628-0-0x00007FFC4E070000-0x00007FFC4E265000-memory.dmp

Filesize
2.0MB

Download
memory/2628-1-0x00000213F89A0000-0x00000213F89A1000-memory.dmp

Filesize
4KB

Download