Edit tour

Windows Analysis Report
hot.exe

Overview

General Information

Sample name:	hot.exe
Analysis ID:	1447001
MD5:	de9ffcf77572e26f4baa2095dfa7fb87
SHA1:	210ae1175ab66311068ee5f8bcfd498ad2d04d18
SHA256:	194e405f98dadc88a7041b0724e31db7a92537f200c380b0e89674177ae0a963
Tags:	exemetasploitrozena
Infos:

Detection

Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

AI detected suspicious sample

Machine Learning detection for sample

Sigma detected: Potentially Suspicious Malware Callback Communication

Detected TCP or UDP traffic on non-standard ports

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

hot.exe (PID: 768 cmdline: "C:\Users\user\Desktop\hot.exe" MD5: DE9FFCF77572E26F4BAA2095DFA7FB87)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "185.228.139.123", "Port": 4444}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
hot.exe	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
hot.exe	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
hot.exe	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x2004:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x1004:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0xd8:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x1004:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.hot.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.hot.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
0.0.hot.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.hot.exe.400000.0.unpack	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x2004:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
0.0.hot.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
0.0.hot.exe.400000.0.unpack	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x2004:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 185.228.139.123, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\Desktop\hot.exe, Initiated: true, ProcessId: 768, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hot.exe

Avira: detected

Found malware configuration

Source: hot.exe

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "185.228.139.123", "Port": 4444}

Multi AV Scanner detection for submitted file

Source: hot.exe	ReversingLabs: Detection: 86%
Source: hot.exe	Virustotal: Detection: 86%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Machine Learning detection for sample

Source: hot.exe

Joe Sandbox ML: detected

Source: hot.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: hot.exe

Source: C:\Users\user\Desktop\hot.exe	Code function: 4x nop then outsb		0_2_004048F3
Source: C:\Users\user\Desktop\hot.exe	Code function: 4x nop then push ebp		0_2_004055CB

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 185.228.139.123:4444

Source: Joe Sandbox View

ASN Name: NETCUP-ASnetcupGmbHDE NETCUP-ASnetcupGmbHDE

Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123
Source: unknown	TCP traffic detected without corresponding DNS query: 185.228.139.123

Source: C:\Users\user\Desktop\hot.exe

Code function: 0_2_006A0095 WSASocketA,connect,recv,closesocket,

0_2_006A0095

Source: hot.exe	String found in binary or memory: http://www.apache.org/
Source: hot.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: hot.exe	String found in binary or memory: http://www.zeustech.net/

System Summary

Malicious sample detected (through community Yara rule)

Source: hot.exe, type: SAMPLE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.2.hot.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.0.hot.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown

Source: hot.exe, 00000000.00000000.1966682312.0000000000415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameab.exeF vs hot.exe
Source: hot.exe	Binary or memory string: OriginalFilenameab.exeF vs hot.exe

Source: hot.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: hot.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.2.hot.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.0.hot.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23

Source: hot.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.winEXE@1/0@0/1

Source: hot.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hot.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hot.exe	ReversingLabs: Detection: 86%
Source: hot.exe	Virustotal: Detection: 86%

Source: C:\Users\user\Desktop\hot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hot.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hot.exe	Section loaded: mswsock.dll	Jump to behavior

Source: hot.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: hot.exe

Source: C:\Users\user\Desktop\hot.exe	Code function: 0_2_00403865 push es; retf	0_2_00403883
Source: C:\Users\user\Desktop\hot.exe	Code function: 0_2_00407467 pushfd ; ret	0_2_0040748F
Source: C:\Users\user\Desktop\hot.exe	Code function: 0_2_004096C0 push 46E58B07h; ret	0_2_004096F1
Source: C:\Users\user\Desktop\hot.exe	Code function: 0_2_004096D0 push 46E58B07h; ret	0_2_004096F1
Source: C:\Users\user\Desktop\hot.exe	Code function: 0_2_00406770 push esp; ret	0_2_00406775
Source: C:\Users\user\Desktop\hot.exe	Code function: 0_2_004075B9 pushfd ; iretd	0_2_004075E6

Source: hot.exe

Static PE information: section name: .text entropy: 7.018049873082076

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: hot.exe, 00000000.00000002.2142966468.00000000006DE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: hot.exe, type: SAMPLE
Source: Yara match	File source: 0.2.hot.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hot.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Software Packing	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hot.exe	87%	ReversingLabs	Win32.Trojan.Swrort
hot.exe	86%	Virustotal		Browse
hot.exe	100%	Avira	TR/Patched.Gen2
hot.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.apache.org/	0%	URL Reputation	safe
http://www.zeustech.net/	0%	Avira URL Cloud	safe
http://www.zeustech.net/	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	hot.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/	hot.exe	false	URL Reputation: safe	unknown
http://www.zeustech.net/	hot.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.228.139.123	unknown	Germany		197540	NETCUP-ASnetcupGmbHDE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447001
Start date and time:	2024-05-24 08:08:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hot.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 7 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.228.139.123	cracked.exe	Get hash	malicious	Metasploit, Meterpreter	Browse
185.228.139.123	ranger.exe	Get hash	malicious	Metasploit	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NETCUP-ASnetcupGmbHDE	cracked.exe	Get hash	malicious	Metasploit, Meterpreter	Browse	185.228.139.123
	ranger.exe	Get hash	malicious	Metasploit	Browse	185.228.139.123
	file.exe	Get hash	malicious	CMSBrute	Browse	37.120.171.230
	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	195.128.101.64
	jXBjxhHQgR.exe	Get hash	malicious	CMSBrute	Browse	5.45.98.188
	INVOICE087667899.exe	Get hash	malicious	Unknown	Browse	93.177.67.178
	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	185.243.11.41
	does virginia have a no chase law for motorcycles 62848.js	Get hash	malicious	Unknown	Browse	46.38.249.148
	http://92.60.39.76:9993/wr.exe	Get hash	malicious	Xmrig	Browse	92.60.39.76
	http://92.60.39.76:9993/wr.exe	Get hash	malicious	Unknown	Browse	92.60.39.76

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.326903804700931
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hot.exe
File size:	73'802 bytes
MD5:	de9ffcf77572e26f4baa2095dfa7fb87
SHA1:	210ae1175ab66311068ee5f8bcfd498ad2d04d18
SHA256:	194e405f98dadc88a7041b0724e31db7a92537f200c380b0e89674177ae0a963
SHA512:	1e7f29dd2c52f593ef2b23b3d19c70366bbe87126e3565fedf802c516908b4121daf3e91465f18e114dcdaa3b5bf72d52f737e9c3be952931a9f066edf9b2662
SSDEEP:	1536:I1cCF7Zrxh8HXfrs04gVjdhBrMb+KR0Nc8QsJq39:EF7d8vzJhdhle0Nc8QsC9
TLSH:	A473A042E9C41475D196117E637136B6E970F4FD2702C1DA7A8CCDFAEBC18A0927A3CA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L...~3.J...........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40132b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4AB0337E [Wed Sep 16 00:38:22 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	481f47bbb2c9c21e108d65f52b04c448

Entrypoint Preview

Instruction
lahf
dec ebx
std
aas
clc
aaa
dec ebx
xchg eax, ebx
xchg eax, ebx
inc ecx
dec ecx
cmc
daa
inc eax
salc
das
clc
clc
cld
wait
lahf
clc
inc eax
cmc
dec eax
cwde
inc ebx
dec edx
salc
dec eax
dec edx
aas
inc eax
inc edx
dec eax
xchg eax, ecx
das
dec edx
xchg eax, ecx
cwde
nop
xchg eax, ebx
cdq
inc edx
xchg eax, edx
cwde
dec ecx
std
salc
nop
cwde
inc eax
dec ecx
xchg eax, ecx
std
inc eax
dec eax
cwde
wait
aaa
clc
inc ecx
inc edx
lahf
lahf
dec eax
std
das
daa
lahf
xchg eax, ecx
dec eax
inc edx
inc ecx
xchg eax, edx
dec ecx
dec edx
dec ecx
salc
dec ebx
clc
stc
inc ebx
dec edx
dec eax
salc
dec eax
cmc
std
inc ebx
std
cwde
xchg eax, ecx
das
xchg eax, edx
das
inc ebx
daa
dec eax
das
dec ecx
dec ebx
xchg eax, edx
daa
cwde
salc
lahf
wait
xchg eax, ecx
wait
wait
salc
inc edx
dec ecx
std
inc ecx
dec ecx
clc
aas
std
inc edx
aas
dec eax
stc
dec ecx
cwde
stc
cmc
std
inc eax
dec edx
dec ecx
inc ebx
daa
cld
nop
daa
xchg eax, ecx
inc ebx
cld
wait
das
aas
wait
dec edx
wait
dec ebx
std
inc eax
inc ebx
inc ecx
stc
cmc
inc eax
daa
std
aas
inc edx
daa
aaa
cwde
dec ecx
dec ebx
das
dec ecx
cdq
dec ebx
dec ecx
lahf
salc
xchg eax, ecx
xchg eax, edx
cld
inc ecx
inc eax
xchg eax, ebx
wait
aas
std
xchg eax, ecx
cdq
inc ecx
stc
xchg eax, edx
lahf
das
salc
inc ecx
xchg eax, ebx
daa
nop
inc eax
std
inc ebx
inc ebx
nop
dec edx
aaa
xchg eax, ebx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x7c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa966	0xb000	1f89a98da7f97af425bf189ac89a4565	False	0.8161399147727273	data	7.018049873082076	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0xfe6	0x1000	25d7ceee3aa85bb3e8c5174736f6f830	False	0.46142578125	DOS executable (COM, 0x8C-variant)	5.318390353744998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x705c	0x4000	283b5f792323d57b9db4d2bcc46580f8	False	0.25634765625	Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0	4.407841023203495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x15000	0x7c8	0x1000	c13a9413aea7291b6fc85d75bfcde381	False	0.197998046875	data	1.958296025171192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x15060	0x768	data	English	United States	0.40189873417721517

Imports

DLL	Import
MSVCRT.dll	_iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp
KERNEL32.dll	PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid
WSOCK32.dll	getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError
WS2_32.dll	WSARecv, WSASend

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 08:08:52.687985897 CEST	49704	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:52.693135977 CEST	4444	49704	185.228.139.123	192.168.2.5
May 24, 2024 08:08:52.693404913 CEST	49704	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:54.321208000 CEST	4444	49704	185.228.139.123	192.168.2.5
May 24, 2024 08:08:54.321433067 CEST	49704	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:54.339118958 CEST	49704	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:54.344189882 CEST	4444	49704	185.228.139.123	192.168.2.5
May 24, 2024 08:08:54.345601082 CEST	49705	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:54.350632906 CEST	4444	49705	185.228.139.123	192.168.2.5
May 24, 2024 08:08:54.350857973 CEST	49705	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:55.977478981 CEST	4444	49705	185.228.139.123	192.168.2.5
May 24, 2024 08:08:55.977679014 CEST	49705	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:55.978159904 CEST	49705	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:55.978903055 CEST	49706	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:55.988204002 CEST	4444	49705	185.228.139.123	192.168.2.5
May 24, 2024 08:08:56.035355091 CEST	4444	49706	185.228.139.123	192.168.2.5
May 24, 2024 08:08:56.035615921 CEST	49706	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:57.686635017 CEST	4444	49706	185.228.139.123	192.168.2.5
May 24, 2024 08:08:57.686984062 CEST	49706	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:57.687218904 CEST	49706	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:57.688033104 CEST	49707	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:57.697010994 CEST	4444	49706	185.228.139.123	192.168.2.5
May 24, 2024 08:08:57.747438908 CEST	4444	49707	185.228.139.123	192.168.2.5
May 24, 2024 08:08:57.747828960 CEST	49707	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:59.387412071 CEST	4444	49707	185.228.139.123	192.168.2.5
May 24, 2024 08:08:59.387655020 CEST	49707	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:59.387916088 CEST	49707	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:59.388694048 CEST	49708	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:08:59.397516012 CEST	4444	49707	185.228.139.123	192.168.2.5
May 24, 2024 08:08:59.447325945 CEST	4444	49708	185.228.139.123	192.168.2.5
May 24, 2024 08:08:59.447582960 CEST	49708	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:01.098376989 CEST	4444	49708	185.228.139.123	192.168.2.5
May 24, 2024 08:09:01.098715067 CEST	49708	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:01.099091053 CEST	49708	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:01.100259066 CEST	49709	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:01.108510971 CEST	4444	49708	185.228.139.123	192.168.2.5
May 24, 2024 08:09:01.155294895 CEST	4444	49709	185.228.139.123	192.168.2.5
May 24, 2024 08:09:01.155400991 CEST	49709	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:02.809432983 CEST	4444	49709	185.228.139.123	192.168.2.5
May 24, 2024 08:09:02.809509993 CEST	49709	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:02.809917927 CEST	49709	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:02.810687065 CEST	49710	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:02.819360018 CEST	4444	49709	185.228.139.123	192.168.2.5
May 24, 2024 08:09:02.867394924 CEST	4444	49710	185.228.139.123	192.168.2.5
May 24, 2024 08:09:02.867594957 CEST	49710	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:04.531936884 CEST	4444	49710	185.228.139.123	192.168.2.5
May 24, 2024 08:09:04.532150984 CEST	49710	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:04.532602072 CEST	49710	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:04.533309937 CEST	49711	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:04.542104006 CEST	4444	49710	185.228.139.123	192.168.2.5
May 24, 2024 08:09:04.591320038 CEST	4444	49711	185.228.139.123	192.168.2.5
May 24, 2024 08:09:04.591527939 CEST	49711	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:06.250333071 CEST	4444	49711	185.228.139.123	192.168.2.5
May 24, 2024 08:09:06.250418901 CEST	49711	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:06.250844002 CEST	49711	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:06.251750946 CEST	49712	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:06.263322115 CEST	4444	49711	185.228.139.123	192.168.2.5
May 24, 2024 08:09:06.315428972 CEST	4444	49712	185.228.139.123	192.168.2.5
May 24, 2024 08:09:06.315656900 CEST	49712	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:07.984026909 CEST	4444	49712	185.228.139.123	192.168.2.5
May 24, 2024 08:09:07.984281063 CEST	49712	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:08.556834936 CEST	49712	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:08.557610035 CEST	49713	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:08.561845064 CEST	4444	49712	185.228.139.123	192.168.2.5
May 24, 2024 08:09:08.607424974 CEST	4444	49713	185.228.139.123	192.168.2.5
May 24, 2024 08:09:08.607628107 CEST	49713	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:10.247121096 CEST	4444	49713	185.228.139.123	192.168.2.5
May 24, 2024 08:09:10.247333050 CEST	49713	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:10.247683048 CEST	49713	4444	192.168.2.5	185.228.139.123
May 24, 2024 08:09:10.257178068 CEST	4444	49713	185.228.139.123	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 08:09:14.324721098 CEST	53	50815	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	02:08:51
Start date:	24/05/2024
Path:	C:\Users\user\Desktop\hot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hot.exe"
Imagebase:	0x400000
File size:	73'802 bytes
MD5 hash:	DE9FFCF77572E26F4BAA2095DFA7FB87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000000.1966597061.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	17%
Signature Coverage:	15.1%
Total number of Nodes:	53
Total number of Limit Nodes:	3

Executed Functions

Function 006A0095 Relevance: 6.1, APIs: 4, Instructions: 81
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,5C110002,7B8BE4B9,0000000A,?,?,5F327377,00003233), ref: 006A00D5
connect.WS2_32(6174A599,?,?,00000010,?,?,5F327377,00003233), ref: 006A00E1
recv.WS2_32(5FC8D902,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 006A00FC
closesocket.WS2_32(614D6E75,?,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 006A013F

Memory Dump Source

Source File: 00000000.00000002.2142942895.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_hot.jbxd

Yara matches

Similarity

API ID: Socketclosesocketconnectrecv
String ID:
API String ID: 2083937939-0
Opcode ID: d30f026dcc911f5eaead0688b332088694eea6a20b7db6d9e727deff9f5c20be
Instruction ID: fd4dc147a49e0e7fdb80f22de79ec8bd063cae56c0931d05ecc7db2b7efa11ad
Opcode Fuzzy Hash: d30f026dcc911f5eaead0688b332088694eea6a20b7db6d9e727deff9f5c20be
Instruction Fuzzy Hash: BC11CCB07802983EF53032A69C07FFB791CCF43BA8F110029BB45EA1C1C992AC4085FA

Function 00401DA7 Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 00401DBA

Memory Dump Source

Source File: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2142763833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142805745.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142825736.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142846184.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hot.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a12c6e8e49a27229ae3c5f5d7822d255dd41ce9c567fa7223cf449aa573d7ea4
Instruction ID: 8b591fcd1d859c176b2dd51a48897bebbe986a8da73b03974c745c0b4ecf3b5f
Opcode Fuzzy Hash: a12c6e8e49a27229ae3c5f5d7822d255dd41ce9c567fa7223cf449aa573d7ea4
Instruction Fuzzy Hash: B1E0D861399246DBD6003E5088D21F537C99F1E3417201A36D44BAB2F3DA747502A65A

Function 00401D50 Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 00401DBA

Memory Dump Source

Source File: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2142763833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142805745.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142825736.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142846184.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hot.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4132f128bd94e0b2698c861ebd9a2b8994c23292d83194215efec6fbf47b17a6
Instruction ID: 22a4f9e1f32fc30316f368b1a9c9e23bb3f451528baa5ee74c3eca02dbef07b2
Opcode Fuzzy Hash: 4132f128bd94e0b2698c861ebd9a2b8994c23292d83194215efec6fbf47b17a6
Instruction Fuzzy Hash: 0DE0262034D1D9DBD6037A6084816F87A875F0F781B201533E847B91F2D9BC3403622F

Function 00401D66 Relevance: 1.3, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 00401DBA

Memory Dump Source

Source File: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2142763833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142805745.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142825736.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142846184.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hot.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 43e3a67009e2cc4d1d91f7a271febd32e2399b90eb2e7145ae2165e4c3bce837
Instruction ID: a0204d764836d8f7f35964fc2906d9d58722ab20df33c151f6dcd9f8761b621a
Opcode Fuzzy Hash: 43e3a67009e2cc4d1d91f7a271febd32e2399b90eb2e7145ae2165e4c3bce837
Instruction Fuzzy Hash: 43E08C2028D286DBC000666148867F9218A1F4E781F301936A64BBA1F1CAB86102629E

Function 00401D58 Relevance: 1.3, APIs: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 00401DBA

Memory Dump Source

Source File: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2142763833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142805745.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142825736.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142846184.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hot.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7310f6efe4296d7f310ff911644af03a18dc7cc8b46f202bfadc91a9b7e1d6ff
Instruction ID: 9fca57e173d7bb98229512d7d39bc469c4e8e309763de5c351a4003721aa425c
Opcode Fuzzy Hash: 7310f6efe4296d7f310ff911644af03a18dc7cc8b46f202bfadc91a9b7e1d6ff
Instruction Fuzzy Hash: 88D017243DE189E6D00121608882BFA518A1F0E782F202933AA0F761E299BC2402219F

Function 00401D90 Relevance: 1.3, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 00401DBA

Memory Dump Source

Source File: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2142763833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142805745.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142825736.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142846184.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hot.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3351bbbf68dcf42d826247a8ab76b95cceade298e78028f01dcaae6b52c363e2
Instruction ID: cda3b2a9287f4f52490d00a6b5f25d3d9bcb041b0ee8fabb75a650617eb15363
Opcode Fuzzy Hash: 3351bbbf68dcf42d826247a8ab76b95cceade298e78028f01dcaae6b52c363e2
Instruction Fuzzy Hash: 05D05E3025D189DFD600BE6084812F576CB5F1E381B701A3AD80BBA1E2DEBC7802A65E

Function 00401D89 Relevance: 1.3, APIs: 1, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 00401DBA

Memory Dump Source

Source File: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2142763833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142805745.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142825736.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142846184.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hot.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e44746c50d74001ec86b992fb59fb66a24ec1cdf003cef781942761cabcafca6
Instruction ID: b3947d0234e853e5bd8ff974dfe031b16c7c977ed0ce794371792439aa4c2cb6
Opcode Fuzzy Hash: e44746c50d74001ec86b992fb59fb66a24ec1cdf003cef781942761cabcafca6
Instruction Fuzzy Hash: DAC0121438D149D7C04076A088817F8108B0F0E741F702937940FB51F2DDBC2403715F

Non-executed Functions

Function 004055CB Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2142763833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142805745.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142825736.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142846184.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hot.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039f0455b507013a8700257e8658f9af6edcc47e10fcdf47ecdca07238aa146e
Instruction ID: b069a52e15f88f0bd75ee13d2957d68d11c92b80273ee7489bad17d7e43b9375
Opcode Fuzzy Hash: 039f0455b507013a8700257e8658f9af6edcc47e10fcdf47ecdca07238aa146e
Instruction Fuzzy Hash: 060149705087819EC715CF689880AD9BFB4EF42330F2447AED464CF692C320D485CB95

Function 004048F3 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142783851.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2142763833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142805745.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142825736.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142846184.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hot.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438b1b789be0b818d9efc19669a70cd2367cad539b25d9c57029a0814946adf3
Instruction ID: a1c1d65d24bf94b08b84d029928238538ea049b644b0cec1f46a363bbf89d601
Opcode Fuzzy Hash: 438b1b789be0b818d9efc19669a70cd2367cad539b25d9c57029a0814946adf3
Instruction Fuzzy Hash: 75C02B2850D2040B4702EC8C98D06F6F7FB2BA7740F047001C2057B303C511F04E87D8

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hot.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
hot.exe

Function 006A0095 Relevance: 6.1, APIs: 4, Instructions: 81
networkCOMMON

Function 00401DA7 Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Function 00401D50 Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMON

Function 00401D66 Relevance: 1.3, APIs: 1, Instructions: 28
memoryCOMMON

Function 00401D58 Relevance: 1.3, APIs: 1, Instructions: 27
memoryCOMMON

Function 00401D90 Relevance: 1.3, APIs: 1, Instructions: 20
memoryCOMMON

Function 00401D89 Relevance: 1.3, APIs: 1, Instructions: 18
memoryCOMMON