Source: hot.exe |
Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "185.228.139.123", "Port": 4444} |
Source: hot.exe |
ReversingLabs: Detection: 86% |
Source: hot.exe |
Virustotal: Detection: 86% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.0% probability |
Source: hot.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: hot.exe |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 4x nop then outsb |
0_2_004048F3 |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 4x nop then push ebp |
0_2_004055CB |
Source: global traffic |
TCP traffic: 192.168.2.5:49704 -> 185.228.139.123:4444 |
Source: Joe Sandbox View |
ASN Name: NETCUP-ASnetcupGmbHDE NETCUP-ASnetcupGmbHDE |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.228.139.123 |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 0_2_006A0095 WSASocketA,connect,recv,closesocket, |
0_2_006A0095 |
Source: hot.exe |
String found in binary or memory: http://www.apache.org/ |
Source: hot.exe |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: hot.exe |
String found in binary or memory: http://www.zeustech.net/ |
Source: hot.exe, type: SAMPLE |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: 0.2.hot.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: 0.0.hot.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: 00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: hot.exe, 00000000.00000000.1966682312.0000000000415000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameab.exeF vs hot.exe |
Source: hot.exe |
Binary or memory string: OriginalFilenameab.exeF vs hot.exe |
Source: hot.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: hot.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: 0.2.hot.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: 0.0.hot.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: 00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: hot.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal100.troj.winEXE@1/0@0/1 |
Source: hot.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\hot.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: hot.exe |
ReversingLabs: Detection: 86% |
Source: hot.exe |
Virustotal: Detection: 86% |
Source: C:\Users\user\Desktop\hot.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\hot.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\hot.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: hot.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: hot.exe |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 0_2_00403865 push es; retf |
0_2_00403883 |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 0_2_00407467 pushfd ; ret |
0_2_0040748F |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 0_2_004096C0 push 46E58B07h; ret |
0_2_004096F1 |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 0_2_004096D0 push 46E58B07h; ret |
0_2_004096F1 |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 0_2_00406770 push esp; ret |
0_2_00406775 |
Source: C:\Users\user\Desktop\hot.exe |
Code function: 0_2_004075B9 pushfd ; iretd |
0_2_004075E6 |
Source: hot.exe |
Static PE information: section name: .text entropy: 7.018049873082076 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: hot.exe, 00000000.00000002.2142966468.00000000006DE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Yara match |
File source: hot.exe, type: SAMPLE |
Source: Yara match |
File source: 0.2.hot.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.hot.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |