metasploit | 7a286c84b6ed0e75b68d9bd2318516edd2c156df8374ac6394e8fdd34bd4e10d

Analysis

max time kernel
106s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2025, 14:38

Target

2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe
Size

2.8MB
MD5

829b23998e2e363fbdf62899e56b93fa
SHA1

d648ed8e96285dc7b38265ffd4f8a0b40cb151d2
SHA256

7a286c84b6ed0e75b68d9bd2318516edd2c156df8374ac6394e8fdd34bd4e10d
SHA512

2694edbdb320e94dfb90390e9a6ac680a24cb668223e9e1b67e8a32f610fb0175d7f09f7e7e1dffc598a7bd7f9cea74bf8b06e27d5bc91d648c1145bc80b3649
SSDEEP

49152:t61woRhtyGPTOjMjImaDRZLHNryL3eUzCa1Ci1Cz2Uo:t65tE3ByL3/9Ci1y2N

Score

10^/10

Family

metasploit

Version

metasploit_stager

192.168.0.107:4444

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 4432	1264	2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe	86
PID 1264 wrote to memory of 4432	1264	2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe	86

C:\Users\Admin\AppData\Local\Temp\2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-17_829b23998e2e363fbdf62899e56b93fa_frostygoop_ghostlocker_knight_luca-stealer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:4432

memory/1264-0-0x00007FFE3D4F0000-0x00007FFE3D6E5000-memory.dmp

Filesize
2.0MB

Download
memory/1264-1-0x0000017E783F0000-0x0000017E783F1000-memory.dmp

Filesize
4KB

Download