Windows Analysis Report
cracked.exe

Overview

General Information

Sample name: cracked.exe
Analysis ID: 1446997
MD5: 41b1b1f3940c54bf207a9e6f7d0eada6
SHA1: 00946ab04db6e5f0161624807a593bef8cdf3530
SHA256: f534a2084d2b59d37741bfe46848828079597e17b4aa6e34d7f6b8e8f187ad63
Tags: exemetasploitmeterperterrozena
Infos:

Detection

Metasploit, Meterpreter
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Yara detected Meterpreter
AI detected suspicious sample
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: cracked.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: cracked.exe ReversingLabs: Detection: 78%
Source: cracked.exe Virustotal: Detection: 85% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: cracked.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A5910 _memcpy_s,CryptDuplicateKey,GetLastError,CryptSetKeyParam,CryptSetKeyParam,CryptGenRandom,GetLastError,GetLastError,CryptSetKeyParam,GetLastError,htonl,_malloc,_memcpy_s,CryptEncrypt,GetLastError,htonl,_memcpy_s,_memcpy_s,_malloc,htonl,_memcpy_s,_memcpy_s,CryptDestroyKey, 0_2_007A5910
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A5B01 _calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,CryptImportKey,GetLastError,_free, 0_2_007A5B01
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A5CD1 CryptDecodeObjectEx,GetLastError,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptImportPublicKeyInfo,CryptEncrypt,CryptEncrypt,_calloc,_memcpy_s,CryptEncrypt,_free,LocalFree,CryptDestroyKey,CryptReleaseContext, 0_2_007A5CD1
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A5C90 CryptDestroyKey,GetUserObjectInformationA,CryptReleaseContext,_free, 0_2_007A5C90
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A579E _calloc,htonl,htonl,CryptDuplicateKey,GetLastError,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,_memmove_s,htonl,htonl,_malloc,_memcpy_s,CryptDestroyKey, 0_2_007A579E
Uses 32bit PE files
Source: cracked.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking
barindex
Yara detected Meterpreter
Source: Yara match File source: cracked.exe, type: SAMPLE
Source: Yara match File source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 185.228.139.123:8443
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00408B40 WSARecv,WSAGetLastError,WSAGetLastError,WSAGetLastError, 0_2_00408B40
Source: cracked.exe String found in binary or memory: http://www.apache.org/
Source: cracked.exe String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cracked.exe String found in binary or memory: http://www.zeustech.net/
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/&&
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/)
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/-&
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/0
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/4&
Source: cracked.exe String found in binary or memory: https://185.228.139.123:8443/6mopdNaoQfcUCxUKcT5rOgk6Ghe5kPS2RxsCbDkmRVCYraOjDorEABYEk0r2iVvCnzli5Bo
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/;&
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/V
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/c
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/j
Source: cracked.exe, 00000000.00000002.2890697139.000000000058E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.228.139.123:8443/q
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A5B01 _calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,CryptImportKey,GetLastError,_free, 0_2_007A5B01

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: cracked.exe, type: SAMPLE Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: cracked.exe, type: SAMPLE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: cracked.exe, type: SAMPLE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: cracked.exe, type: SAMPLE Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 00000000.00000002.2890880419.00000000007C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.2890880419.00000000007C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2890880419.00000000007C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Meterpreter payload Author: ditekSHen
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004096C0: GetFileInformationByHandle,DeviceIoControl,GetLastError,GetLastError,GetLastError,WaitForSingleObject,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,WaitForSingleObject,SetLastError,GetOverlappedResult,GetLastError,GetLastError,GetLastError, 0_2_004096C0
Detected potential crypto function
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004070D0 0_2_004070D0
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00406A40 0_2_00406A40
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00429252 0_2_00429252
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00429252 0_2_00429252
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00427279 0_2_00427279
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00427279 0_2_00427279
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043327D 0_2_0043327D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043327D 0_2_0043327D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426A2C 0_2_00426A2C
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426A2C 0_2_00426A2C
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00425300 0_2_00425300
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00425300 0_2_00425300
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042FB20 0_2_0042FB20
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042FB20 0_2_0042FB20
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042444D 0_2_0042444D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042444D 0_2_0042444D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0040B400 0_2_0040B400
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00433D61 0_2_00433D61
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00433D61 0_2_00433D61
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00434509 0_2_00434509
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00434509 0_2_00434509
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426538 0_2_00426538
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426538 0_2_00426538
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426E44 0_2_00426E44
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426E44 0_2_00426E44
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00435692 0_2_00435692
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00435692 0_2_00435692
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004276AE 0_2_004276AE
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004276AE 0_2_004276AE
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042BF42 0_2_0042BF42
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042BF42 0_2_0042BF42
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004337EF 0_2_004337EF
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004337EF 0_2_004337EF
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00429252 0_2_00429252
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00429252 0_2_00429252
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00427279 0_2_00427279
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00427279 0_2_00427279
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043327D 0_2_0043327D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043327D 0_2_0043327D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426A2C 0_2_00426A2C
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426A2C 0_2_00426A2C
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00425300 0_2_00425300
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00425300 0_2_00425300
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042FB20 0_2_0042FB20
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042FB20 0_2_0042FB20
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042444D 0_2_0042444D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042444D 0_2_0042444D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00433D61 0_2_00433D61
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00433D61 0_2_00433D61
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00434509 0_2_00434509
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00434509 0_2_00434509
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426538 0_2_00426538
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426538 0_2_00426538
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426E44 0_2_00426E44
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00426E44 0_2_00426E44
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00435692 0_2_00435692
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00435692 0_2_00435692
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004276AE 0_2_004276AE
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004276AE 0_2_004276AE
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042BF42 0_2_0042BF42
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042BF42 0_2_0042BF42
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004337EF 0_2_004337EF
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004337EF 0_2_004337EF
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007AF04D 0_2_007AF04D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007BE961 0_2_007BE961
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B1138 0_2_007B1138
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007BF109 0_2_007BF109
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B1A44 0_2_007B1A44
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B22AE 0_2_007B22AE
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007C0292 0_2_007C0292
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B6B42 0_2_007B6B42
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007ADBF2 0_2_007ADBF2
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007BE3EF 0_2_007BE3EF
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B1E79 0_2_007B1E79
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007BDE7D 0_2_007BDE7D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B3E52 0_2_007B3E52
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B162C 0_2_007B162C
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007BA720 0_2_007BA720
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007AFF00 0_2_007AFF00
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007AA78D 0_2_007AA78D
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\cracked.exe Code function: String function: 0042E180 appears 88 times
Source: C:\Users\user\Desktop\cracked.exe Code function: String function: 0042E4DE appears 64 times
Sample file is different than original file name gathered from version info
Source: cracked.exe Binary or memory string: OriginalFilename vs cracked.exe
Source: cracked.exe, 00000000.00000002.2890635117.0000000000415000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameab.exeF vs cracked.exe
Source: cracked.exe, 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameab.exeF vs cracked.exe
Source: cracked.exe Binary or memory string: OriginalFilenameab.exeF vs cracked.exe
Uses 32bit PE files
Source: cracked.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: cracked.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: cracked.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: cracked.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: cracked.exe, type: SAMPLE Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 00000000.00000002.2890880419.00000000007C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000000.00000002.2890880419.00000000007C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2890880419.00000000007C7000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: classification engine Classification label: mal92.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A1BAC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetLastError,CreateEventW,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,_free,_free,CloseHandle,CloseHandle, 0_2_007A1BAC
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A770B GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 0_2_007A770B
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A25C8 VirtualAllocEx,VirtualQueryEx,_malloc,_memset,WriteProcessMemory,WriteProcessMemory,_free,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,GetLastError,Thread32First,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,OpenThread,SuspendThread,CloseHandle,Thread32Next,SetLastError,GetLastError,Sleep,ResumeThread,CloseHandle,CloseHandle,FreeLibrary,SetLastError, 0_2_007A25C8
Source: C:\Users\user\Desktop\cracked.exe Mutant created: NULL
Source: C:\Users\user\Desktop\cracked.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cracked.exe ReversingLabs: Detection: 78%
Source: cracked.exe Virustotal: Detection: 85%
Source: C:\Users\user\Desktop\cracked.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\cracked.exe Section loaded: schannel.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0040A940 LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_0040A940
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .graz
PE file contains an invalid checksum
Source: cracked.exe Static PE information: real checksum: 0x409bb should be: 0x40b13
PE file contains sections with non-standard names
Source: cracked.exe Static PE information: section name: .graz
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0040B840 push eax; ret 0_2_0040B86E
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B827 push esi; ret 0_2_0042B829
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B827 push esi; ret 0_2_0042B829
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043288D push edi; ret 0_2_0043288F
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043288D push edi; ret 0_2_0043288F
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B910 push edi; ret 0_2_0042B912
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B910 push edi; ret 0_2_0042B912
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042E1C5 push ecx; ret 0_2_0042E1D8
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042E1C5 push ecx; ret 0_2_0042E1D8
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004252EB push ecx; ret 0_2_004252FB
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004252EB push ecx; ret 0_2_004252FB
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043243E push edi; ret 0_2_0043244D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043243E push edi; ret 0_2_0043244D
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B4C1 push edi; ret 0_2_0042B4D0
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B4C1 push edi; ret 0_2_0042B4D0
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004324B0 push edi; ret 0_2_004324B2
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004324B0 push edi; ret 0_2_004324B2
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B533 push edi; ret 0_2_0042B535
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B533 push edi; ret 0_2_0042B535
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004325BB push esi; ret 0_2_004325CB
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004325BB push esi; ret 0_2_004325CB
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B64C push esi; ret 0_2_0042B64E
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B64C push esi; ret 0_2_0042B64E
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004327A4 push esi; ret 0_2_004327A6
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_004327A4 push esi; ret 0_2_004327A6
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B827 push esi; ret 0_2_0042B829
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B827 push esi; ret 0_2_0042B829
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043288D push edi; ret 0_2_0043288F
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0043288D push edi; ret 0_2_0043288F
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B910 push edi; ret 0_2_0042B912
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0042B910 push edi; ret 0_2_0042B912
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B3E52 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_007B3E52
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\cracked.exe API coverage: 2.8 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\cracked.exe Last function: Thread delayed
Source: cracked.exe, 00000000.00000002.2890697139.00000000005BA000.00000004.00000020.00020000.00000000.sdmp, cracked.exe, 00000000.00000002.2890697139.000000000056E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\cracked.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007BA1D9 IsDebuggerPresent, 0_2_007BA1D9
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B9768 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_007B9768
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0040A940 LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_0040A940
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0041A568 mov eax, dword ptr fs:[00000030h] 0_2_0041A568
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0041A568 mov eax, dword ptr fs:[00000030h] 0_2_0041A568
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0041A568 mov eax, dword ptr fs:[00000030h] 0_2_0041A568
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0041A568 mov eax, dword ptr fs:[00000030h] 0_2_0041A568
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A5168 mov eax, dword ptr fs:[00000030h] 0_2_007A5168
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B3BE8 GetProcessHeap, 0_2_007B3BE8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A56FE GetModuleHandleW,SetUnhandledExceptionFilter,ExitProcess,ExitThread, 0_2_007A56FE
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007B8C43 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007B8C43

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A4F7E VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 0_2_007A4F7E
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A7604 CreateNamedPipeA,AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeAcl,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl, 0_2_007A7604
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00409C80 AllocateAndInitializeSid,SetLastError,SetLastError,SetLastError, 0_2_00409C80
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A828E CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,CloseHandle, 0_2_007A828E
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00406A00 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00406A00
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_00406B10 FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation, 0_2_00406B10
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_0040A720 GetVersionExA,_isctype,__mb_cur_max,_isctype,_pctype,atoi,_isctype,__mb_cur_max,_isctype,_pctype, 0_2_0040A720

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: cracked.exe, type: SAMPLE
Yara detected Meterpreter
Source: Yara match File source: cracked.exe, type: SAMPLE
Source: Yara match File source: 0.0.cracked.exe.416000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.cracked.exe.416000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cracked.exe.416000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.cracked.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cracked.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cracked.exe.7a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2890648733.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1628130648.0000000000416000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\cracked.exe Code function: 0_2_007A88C8 bind,WSAGetLastError,listen,accept,closesocket, 0_2_007A88C8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446997 Sample: cracked.exe Startdate: 24/05/2024 Architecture: WINDOWS Score: 92 11 Malicious sample detected (through community Yara rule) 2->11 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 4 other signatures 2->17 5 cracked.exe 2->5         started        process3 dnsIp4 9 185.228.139.123, 49730, 49731, 49732 NETCUP-ASnetcupGmbHDE Germany 5->9 19 Contains functionality to inject threads in other processes 5->19 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.228.139.123
 unknown Germany
197540 NETCUP-ASnetcupGmbHDE false