Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "185.208.158.176", "Port": 9283} |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
ReversingLabs: Detection: 79% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.4% probability |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\rundll32.exe |
Network Connect: 185.208.158.176 9283 |
Jump to behavior |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 185.208.158.176:9283 |
Source: Joe Sandbox View |
ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.208.158.176 |
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown |
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown |
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: Number of sections : 21 > 10 |
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04 |
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04 |
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04 |
Source: classification engine |
Classification label: mal88.troj.evad.winDLL@16/0@0/1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll,buf |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
ReversingLabs: Detection: 79% |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll,buf |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1 |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll,buf |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: winbrand.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Section loaded: winbrand.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: winbrand.dll |
|
Source: C:\Windows\System32\cmd.exe |
Section loaded: wldp.dll |
|
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: Image base 0x1d57b0000 > 0x60000000 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFE126D1370 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00007FFE126D1370 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /4 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: .xdata |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /14 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /29 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /41 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /55 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /67 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /80 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /91 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /107 |
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll |
Static PE information: section name: /123 |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFE126E02D5 pushfq ; retf |
0_2_00007FFE126E02EC |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: loaddll64.exe, 00000000.00000002.1671178171.0000014ECF538000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1643910760.00000251F1788000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1643917605.0000019540E08000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_00007FFE126D1370 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00007FFE126D1370 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\rundll32.exe |
Network Connect: 185.208.158.176 9283 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\System32\cmd.exe cmd |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll64.exe |
Code function: 0_2_0000014ECF5100F1 LoadLibraryA,WSAStartup,WSASocketA,connect,CreateProcessA,ExitProcess, string: cmd |
0_2_0000014ECF5100F1 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000251F17700F1 LoadLibraryA,WSAStartup,WSASocketA,connect,CreateProcessA,ExitProcess, string: cmd |
3_2_00000251F17700F1 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 4_2_0000019540F000F1 LoadLibraryA,WSAStartup,WSASocketA,connect,CreateProcessA,ExitProcess, string: cmd |
4_2_0000019540F000F1 |