Windows Analysis Report
XKfrTsDzj.exe

Overview

General Information

Sample name: XKfrTsDzj.exe
Analysis ID: 1465757
MD5: a7e58880e45dbd5f5b2618ee63722e21
SHA1: 8c3755417b2d2ec1701efe8e85df24ca5e6571e0
SHA256: 023047d7da62aaeb9f3490f86283920703734f7496b14c64c0661834f4ab4561
Infos:

Detection

Metasploit
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: XKfrTsDzj.exe Avira: detected
Found malware configuration
Source: XKfrTsDzj.exe Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "10.50.1.11", "Port": 4545}
Multi AV Scanner detection for submitted file
Source: XKfrTsDzj.exe ReversingLabs: Detection: 95%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: XKfrTsDzj.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: XKfrTsDzj.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: XKfrTsDzj.exe
Source: XKfrTsDzj.exe String found in binary or memory: http://www.apache.org/
Source: XKfrTsDzj.exe String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: XKfrTsDzj.exe String found in binary or memory: http://www.zeustech.net/

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: XKfrTsDzj.exe, type: SAMPLE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: XKfrTsDzj.exe, type: SAMPLE Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth
Source: 00000000.00000002.865913176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.865894062.0000000000020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000000.339032705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\XKfrTsDzj.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Sample file is different than original file name gathered from version info
Source: XKfrTsDzj.exe, 00000000.00000002.865921737.0000000000415000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameab.exeF vs XKfrTsDzj.exe
Source: XKfrTsDzj.exe Binary or memory string: OriginalFilenameab.exeF vs XKfrTsDzj.exe
Uses 32bit PE files
Source: XKfrTsDzj.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: XKfrTsDzj.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: XKfrTsDzj.exe, type: SAMPLE Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.865913176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000000.00000002.865894062.0000000000020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000000.00000000.339032705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: XKfrTsDzj.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: XKfrTsDzj.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\XKfrTsDzj.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: XKfrTsDzj.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\XKfrTsDzj.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\XKfrTsDzj.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\XKfrTsDzj.exe Section loaded: wsock32.dll Jump to behavior
Source: XKfrTsDzj.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: XKfrTsDzj.exe
Source: XKfrTsDzj.exe Static PE information: section name: .text entropy: 7.010796144372727
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\XKfrTsDzj.exe Process Stats: CPU usage > 42% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: XKfrTsDzj.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.865913176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.865894062.0000000000020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.339032705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465757 Sample: XKfrTsDzj.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 11 Found malware configuration 2->11 13 Malicious sample detected (through community Yara rule) 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 4 other signatures 2->17 5 XKfrTsDzj.exe 2->5         started        process3 dnsIp4 9 10.50.1.11, 4545, 49163 unknown unknown 5->9 19 Found potential dummy code loops (likely to delay analysis) 5->19 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
10.50.1.11