Click to jump to signature section
Source: XKfrTsDzj.exe | Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "10.50.1.11", "Port": 4545} |
Source: XKfrTsDzj.exe | ReversingLabs: Detection: 95% |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 99.8% probability |
Source: XKfrTsDzj.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: | Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: XKfrTsDzj.exe |
Source: XKfrTsDzj.exe | String found in binary or memory: http://www.apache.org/ |
Source: XKfrTsDzj.exe | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: XKfrTsDzj.exe | String found in binary or memory: http://www.zeustech.net/ |
Source: XKfrTsDzj.exe, type: SAMPLE | Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: XKfrTsDzj.exe, type: SAMPLE | Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth |
Source: 00000000.00000002.865913176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.865894062.0000000000020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000000.339032705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: C:\Users\user\Desktop\XKfrTsDzj.exe | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
Source: XKfrTsDzj.exe, 00000000.00000002.865921737.0000000000415000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameab.exeF vs XKfrTsDzj.exe |
Source: XKfrTsDzj.exe | Binary or memory string: OriginalFilenameab.exeF vs XKfrTsDzj.exe |
Source: XKfrTsDzj.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: XKfrTsDzj.exe, type: SAMPLE | Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23 |
Source: XKfrTsDzj.exe, type: SAMPLE | Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.865913176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23 |
Source: 00000000.00000002.865894062.0000000000020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23 |
Source: 00000000.00000000.339032705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23 |
Source: XKfrTsDzj.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@1/0@0/1 |
Source: XKfrTsDzj.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\XKfrTsDzj.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: XKfrTsDzj.exe | ReversingLabs: Detection: 95% |
Source: C:\Users\user\Desktop\XKfrTsDzj.exe | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Users\user\Desktop\XKfrTsDzj.exe | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Users\user\Desktop\XKfrTsDzj.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: XKfrTsDzj.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: XKfrTsDzj.exe |
Source: XKfrTsDzj.exe | Static PE information: section name: .text entropy: 7.010796144372727 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\XKfrTsDzj.exe | Process Stats: CPU usage > 42% for more than 60s |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Yara match | File source: XKfrTsDzj.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000002.865913176.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.865894062.0000000000020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.339032705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |