Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll (renamed file extension from exe to dll)
Original sample name:	SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.exe
Analysis ID:	1467859
MD5:	871caeec989ffecccf0c3959dc616e2a
SHA1:	8697c921d392599123bf0b153f1dfc61f35fb7b0
SHA256:	28fcf4b235518de264af772326317d63fcbf845fbd9d48ef8f996a2a3d9955f1
Tags:	exe
Infos:

Detection

Metasploit

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Metasploit Payload

AI detected suspicious sample

Contains functionality to start reverse TCP shell (cmd.exe)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7300 cmdline: loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7380 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 7408 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 7360 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll,buf MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 7400 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7524 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "185.208.158.176", "Port": 9283}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x38:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x9c:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0xf2:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x38:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x9c:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0xf2:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x38:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x9c:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0xf2:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
Click to see the 7 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "185.208.158.176", "Port": 9283}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 185.208.158.176 9283

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 185.208.158.176:9283

Source: Joe Sandbox View

ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT

Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.158.176

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown

Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Static PE information: Number of sections : 21 > 10

Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04

Source: classification engine

Classification label: mal88.troj.evad.winDLL@16/0@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03

Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll,buf

Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll,buf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll,buf	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Static PE information: Image base 0x1d57b0000 > 0x60000000

Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE126D1370 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FFE126D1370

Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /4
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: .xdata
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /14
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /29
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /41
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /55
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /67
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /80
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /91
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /107
Source: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	Static PE information: section name: /123

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE126E02D5 pushfq ; retf

0_2_00007FFE126E02EC

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: loaddll64.exe, 00000000.00000002.1671178171.0000014ECF538000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1643910760.00000251F1788000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1643917605.0000019540E08000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFE126D1370 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FFE126D1370

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 185.208.158.176 9283

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe cmd	Jump to behavior

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to start reverse TCP shell (cmd.exe)

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000014ECF5100F1 LoadLibraryA,WSAStartup,WSASocketA,connect,CreateProcessA,ExitProcess, string: cmd	0_2_0000014ECF5100F1
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000251F17700F1 LoadLibraryA,WSAStartup,WSASocketA,connect,CreateProcessA,ExitProcess, string: cmd	3_2_00000251F17700F1
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000019540F000F1 LoadLibraryA,WSAStartup,WSASocketA,connect,CreateProcessA,ExitProcess, string: cmd	4_2_0000019540F000F1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	1 Rundll32	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll	79%	ReversingLabs	Win64.Backdoor.Meterpreter

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.208.158.176	unknown	Switzerland		34888	SIMPLECARRER2IT	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467859
Start date and time:	2024-07-04 23:23:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll (renamed file extension from exe to dll)
Original Sample Name:	SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.exe
Detection:	MAL
Classification:	mal88.troj.evad.winDLL@16/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 3
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.208.158.176	EERIE_EAVE.exe	Get hash	malicious	Sliver	Browse	185.208.158.176:8080/samples.html?_=64t16897&ei=72928428
185.208.158.176	EERIE_EAVE.exe	Get hash	malicious	Sliver	Browse	185.208.158.176:8080/samples.html?_=46175850&el=749489d56

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRER2IT	JD40PL83OU.exe	Get hash	malicious	Sliver	Browse	185.208.158.176
	EERIE_EAVE.exe	Get hash	malicious	Sliver	Browse	185.208.158.176
	EERIE_EAVE.exe	Get hash	malicious	Sliver	Browse	185.208.158.176
	ok.exe	Get hash	malicious	Sliver	Browse	185.208.158.176
	3lcoXbiq6u.exe	Get hash	malicious	Unknown	Browse	185.196.8.223
	oDlNf4iAZo.exe	Get hash	malicious	Nightingale Stealer	Browse	185.196.8.243
	pC8PWLyWY5.exe	Get hash	malicious	Nightingale Stealer	Browse	185.196.8.223
	http://appsjda.link/	Get hash	malicious	Unknown	Browse	185.208.158.232
	kuQuRlbfuGOQVwhn	Get hash	malicious	Unknown	Browse	185.196.8.104
	VYpUjX9FuO.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.196.8.31

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	5.437119343689565
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll
File size:	97'776 bytes
MD5:	871caeec989ffecccf0c3959dc616e2a
SHA1:	8697c921d392599123bf0b153f1dfc61f35fb7b0
SHA256:	28fcf4b235518de264af772326317d63fcbf845fbd9d48ef8f996a2a3d9955f1
SHA512:	c4dded959c5238cf8b2e43f3e8869027862f7d8f2cec98217f6e3f9034db3e171da40fd36b7cc97727807f1b2540366c476048de1809ebcbdecdb858237f3125
SSDEEP:	1536:uSyZzfkXVEDS9vNzTISZfwZzds/Wohl8IWRuEFHyNhKO5n195jfh187Rt9hg2aE9:fEzsXVE2/MhuXC
TLSH:	97A30882AAC5FD93CA056234A1BB03192338F6D95F874B533D6996350E037E0BE9F647
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....of.&........& ...'.....4...... .........{..............................0............`... ............................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1d57b1320
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1d57b0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x666FF8F0 [Mon Jun 17 08:50:56 2024 UTC]
TLS Callbacks:	0xd57b1610, 0x1, 0xd57b15e0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6490015bd77f7aa9aab54479cf5a74a0

Entrypoint Preview

Instruction
dec eax
mov eax, dword ptr [00002F59h]
mov dword ptr [eax], 00000000h
jmp 00007F889D2A7F53h
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
mov edx, ecx
dec eax
lea ecx, dword ptr [00006CB6h]
jmp 00007F889D2A9066h
nop
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax+00h]
xor eax, eax
ret
nop word ptr [eax+eax+00000000h]
nop
push ebp
push edi
push esi
push ebx
dec eax
sub esp, 28h
dec eax
lea ebp, dword ptr [esp+20h]
dec eax
lea esi, dword ptr [00002C7Ch]
dec eax
mov ecx, esi
call dword ptr [00008DB7h]
dec eax
mov ebx, eax
dec eax
test eax, eax
je 00007F889D2A811Dh
dec eax
mov ecx, esi
call dword ptr [00008DC6h]
dec eax
mov edi, dword ptr [00008DA7h]
dec eax
lea edx, dword ptr [00002C67h]
dec eax
mov ecx, ebx
dec eax
mov dword ptr [00006C6Ah], eax
call edi
dec eax
lea edx, dword ptr [00002C6Ah]
dec eax
mov ecx, ebx
dec eax
mov esi, eax
call edi
dec eax
mov dword ptr [00001C42h], eax
dec eax
test esi, esi
je 00007F889D2A80C2h
dec eax
lea edx, dword ptr [00006C66h]
dec eax
lea ecx, dword ptr [00003C1Fh]
call esi
dec eax
lea ecx, dword ptr [00000036h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x9000	0x43	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa000	0x41c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6000	0x1d4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x60	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4080	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa124	0xe8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1558	0x1600	bb8aca4bc8910872f87fdeea04db49be	False	0.5882457386363636	data	5.9428743225652605	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x280	0x400	04687243130680ed256ec5ad6c8847ac	False	0.5458984375	data	4.801712562155376	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4000	0x560	0x600	459f3a9200a031a2e79450967a07811a	False	0.24348958333333334	data	3.694226834730464	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x5000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6000	0x1d4	0x200	3180bd25b80e54c3cb8828e0b22f9499	False	0.548828125	data	3.497334147094282	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x7000	0x154	0x200	6cf9920431fdfb39b855eeb20fbef00a	False	0.345703125	data	2.984183795217659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x8000	0x170	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x9000	0x43	0x200	38b0549c7847bede2b6e3bcf28c8bf69	False	0.123046875	data	0.6426194097824256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0xa000	0x41c	0x600	a9b92cc364ee2ffcd7eff97d44669782	False	0.2766927083333333	data	2.855490786391457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xb000	0x58	0x200	9dff61b180a9f0965e4da600c5edaac5	False	0.056640625	data	0.25323120180391656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xc000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xd000	0x60	0x200	34c0d0b259d4837222854ce3cea0fa46	False	0.189453125	data	1.0186626409090969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/14	0xe000	0x2d0	0x400	3ca658f512f24ae3a14c54c5a55c3f9b	False	0.181640625	data	1.3447244320081995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/29	0xf000	0x8193	0x8200	853ed351e1ea69423670550dfa2bb90c	False	0.4075721153846154	Squeak image data	5.924485700162219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/41	0x18000	0x1640	0x1800	78c62db818fbcb5c75ef23ad9f250850	False	0.2810872395833333	data	4.676113924741409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/55	0x1a000	0x1727	0x1800	4f2772bdf8b207d841c92265c6acc44e	False	0.4978841145833333	data	4.9303519765616315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/67	0x1c000	0x990	0xa00	a91ec38f24b9ab48eab8d0560dc01204	False	0.30234375	data	3.4737412794346043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/80	0x1d000	0x186	0x200	5126e545058b9dca56a5fca3e5550ccc	False	0.4609375	data	4.419913741331939	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/91	0x1e000	0x152d	0x1600	1fb5f8a0169fe8bcf13df1418e6a4bb9	False	0.107421875	data	4.664808635473231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/107	0x20000	0x11a7	0x1200	1e36692fec0841986b7b87e0bc8d916d	False	0.484375	data	5.029951036905709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/123	0x22000	0x18b	0x200	b0a4ffc1fa0a8b228f644c13041206b0	False	0.55078125	data	4.0696893516273445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, Sleep, TlsGetValue, VirtualAlloc, VirtualProtect, VirtualQuery
msvcrt.dll	__iob_func, _amsg_exit, _initterm, _lock, _unlock, abort, calloc, free, fwrite, realloc, strlen, strncmp, vfprintf

Exports

Name	Ordinal	Address
buf	1	0x1d57b3020

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 23:23:51.328109026 CEST	49730	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:51.329319954 CEST	49731	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:51.335256100 CEST	9283	49730	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:51.335778952 CEST	9283	49731	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:51.335875988 CEST	49731	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:51.335880995 CEST	49730	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:51.442523003 CEST	49731	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:51.442534924 CEST	49730	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:51.447670937 CEST	9283	49731	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:51.447681904 CEST	9283	49730	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:51.447748899 CEST	49731	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:51.447767973 CEST	49730	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:51.452581882 CEST	9283	49731	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:51.452634096 CEST	9283	49730	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:53.274375916 CEST	9283	49730	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:53.274650097 CEST	49730	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:53.274703026 CEST	9283	49731	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:53.274764061 CEST	49731	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:53.663568020 CEST	49731	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:53.665779114 CEST	49730	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:54.326725006 CEST	49732	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:54.331659079 CEST	9283	49732	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:54.331770897 CEST	49732	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:54.349744081 CEST	49732	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:54.354506016 CEST	9283	49732	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:54.354579926 CEST	49732	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:54.359385967 CEST	9283	49732	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:56.256891966 CEST	9283	49732	185.208.158.176	192.168.2.4
Jul 4, 2024 23:23:56.256982088 CEST	49732	9283	192.168.2.4	185.208.158.176
Jul 4, 2024 23:23:56.667321920 CEST	49732	9283	192.168.2.4	185.208.158.176

Target ID:	0
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll"
Imagebase:	0x7ff6aeb60000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1
Imagebase:	0x7ff75bb60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll,buf
Imagebase:	0x7ff63ac50000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll",#1
Imagebase:	0x7ff63ac50000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x7ff75bb60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x7ff75bb60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7416, Parent PID: 7400

General

Target ID:	7
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:23:50
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:23:53
Start date:	04/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd
Imagebase:	0x7ff75bb60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Disassembly

Reset < >

Analysis Process: loaddll64.exePID: 7300, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	20.1%
Dynamic/Decrypted Code Coverage:	6.1%
Signature Coverage:	7.1%
Total number of Nodes:	99
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000014ECF5100F1 Relevance: 15.1, APIs: 6, Strings: 2, Instructions: 1135
networkprocesslibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000014ECF510123
WSAStartup.WS2_32 ref: 0000014ECF510134
WSASocketA.WS2_32(00000000,00000000), ref: 0000014ECF510150
connect.WS2_32 ref: 0000014ECF510165
CreateProcessA.KERNELBASE ref: 0000014ECF5101BA
ExitProcess.KERNEL32 ref: 0000014ECF5101F1

Strings

ws2_, xrefs: 0000014ECF5100F3
cmd, xrefs: 0000014ECF51016F

Memory Dump Source

Source File: 00000000.00000002.1671128560.0000014ECF510000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014ECF510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ecf510000_loaddll64.jbxd

Yara matches

Similarity

API ID: Process$CreateExitLibraryLoadSocketStartupconnect
String ID: cmd$ws2_
API String ID: 1708454136-3237529508
Opcode ID: 71dfb261d9fd836fd7f0068f1150b946d067d1891a4b52393b0335abde82cc52
Instruction ID: 6feb498fe7adfdcedc0dd7c3901e6e160dab0dfe803cc24cecad38e9fecdca7a
Opcode Fuzzy Hash: 71dfb261d9fd836fd7f0068f1150b946d067d1891a4b52393b0335abde82cc52
Instruction Fuzzy Hash: F1312760B58A4C1BF21D21596C0E93736CED79B715F10816FF98AC72E7DC509C8341AB

Function 00007FFE126D1460 Relevance: 1.3, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFE126D149E

Memory Dump Source

Source File: 00000000.00000002.1671873164.00007FFE126D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000000.00000002.1671857165.00007FFE126D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671887080.00007FFE126D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671907968.00007FFE126D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672014765.00007FFE126D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672764476.00007FFE126DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672844194.00007FFE126DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe126d0000_loaddll64.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 550f36a69d5fc6f3d7ef6075f3b9dfda6a51651a98a0a4e7fe176978030951ad
Instruction ID: b848c15bf8c258c17e60210322d0fecae67bbd643135497c1dcabababdfb7f3a
Opcode Fuzzy Hash: 550f36a69d5fc6f3d7ef6075f3b9dfda6a51651a98a0a4e7fe176978030951ad
Instruction Fuzzy Hash: 7F119172B20B8886E7048B69D8006DC27A0E749BF4F544239DE6C57BD4DA38C551C340

Non-executed Functions

Function 00007FFE126D1370 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFE126D1387
LoadLibraryA.KERNEL32 ref: 00007FFE126D1398
GetProcAddress.KERNEL32 ref: 00007FFE126D13B6
GetProcAddress.KERNEL32 ref: 00007FFE126D13C5

Strings

__deregister_frame_info, xrefs: 00007FFE126D13B8
__register_frame_info, xrefs: 00007FFE126D13A5
libgcc_s_dw2-1.dll, xrefs: 00007FFE126D137D

Memory Dump Source

Source File: 00000000.00000002.1671873164.00007FFE126D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000000.00000002.1671857165.00007FFE126D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671887080.00007FFE126D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671907968.00007FFE126D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672014765.00007FFE126D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672764476.00007FFE126DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672844194.00007FFE126DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe126d0000_loaddll64.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: d7019b6e49358472544b9a1482c9ccd247431350295f6d8abb0b0ffc93d1be17
Instruction ID: d459ee0be3287634dedfe5d348e0b72a7220ef057511c70bcf196ea06b0fa70c
Opcode Fuzzy Hash: d7019b6e49358472544b9a1482c9ccd247431350295f6d8abb0b0ffc93d1be17
Instruction Fuzzy Hash: 4D01B720E09E5F93EA259B47BC502B423A4BF487A5B8545B1C88D437B4EEECA906C340

Function 00007FFE126D16B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FFE126D17CB

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFE126D1861
Address %p has no image-section, xrefs: 00007FFE126D1722, 00007FFE126D1875
VirtualProtect failed with code 0x%x, xrefs: 00007FFE126D183E
Mingw-w64 runtime failure:, xrefs: 00007FFE126D16E7

Memory Dump Source

Source File: 00000000.00000002.1671873164.00007FFE126D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000000.00000002.1671857165.00007FFE126D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671887080.00007FFE126D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671907968.00007FFE126D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672014765.00007FFE126D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672764476.00007FFE126DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672844194.00007FFE126DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe126d0000_loaddll64.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 047ac82dca066b42efc2a601d2e153124c0eb051c46cc83277b14deb1ea37f26
Instruction ID: a876f1b108ec037f100674bed2f0103b08d574749da32a2e6f0ed14ef01b1829
Opcode Fuzzy Hash: 047ac82dca066b42efc2a601d2e153124c0eb051c46cc83277b14deb1ea37f26
Instruction Fuzzy Hash: 2F419076A08E4E83EB109F52EC446A967A0FF85BA4F8442B5DA8C073F5DEBCE545C740

Function 00007FFE126D1010 Relevance: 6.1, APIs: 4, Instructions: 107
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FFE126D1055
_amsg_exit.MSVCRT ref: 00007FFE126D107F

Memory Dump Source

Source File: 00000000.00000002.1671873164.00007FFE126D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000000.00000002.1671857165.00007FFE126D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671887080.00007FFE126D3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671907968.00007FFE126D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672014765.00007FFE126D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672764476.00007FFE126DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1672844194.00007FFE126DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe126d0000_loaddll64.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 83309196a835a35b6abbe5e2eb965c1e7e9af00a985b5e7e06ca3a5a340e373e
Instruction ID: 2ce8544c1834f759acb9eb8caa91dcbf6b6ce93a46d5eeb303b3a1fd55c2d3ed
Opcode Fuzzy Hash: 83309196a835a35b6abbe5e2eb965c1e7e9af00a985b5e7e06ca3a5a340e373e
Instruction Fuzzy Hash: FF413731A09A8EC7F761AB57EC807792291AF44BA4F9440B5CE8C873F5DEECE8419340

Analysis Process: rundll32.exePID: 7360, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	60.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000251F17700F1 Relevance: 15.1, APIs: 6, Strings: 2, Instructions: 1135
networkprocesslibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000251F1770123
WSAStartup.WS2_32 ref: 00000251F1770134
WSASocketA.WS2_32(00000000,00000000), ref: 00000251F1770150
connect.WS2_32 ref: 00000251F1770165
CreateProcessA.KERNELBASE ref: 00000251F17701BA
ExitProcess.KERNEL32 ref: 00000251F17701F1

Strings

ws2_, xrefs: 00000251F17700F3
cmd, xrefs: 00000251F177016F

Memory Dump Source

Source File: 00000003.00000002.1643896439.00000251F1770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000251F1770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_251f1770000_rundll32.jbxd

Yara matches

Similarity

API ID: Process$CreateExitLibraryLoadSocketStartupconnect
String ID: cmd$ws2_
API String ID: 1708454136-3237529508
Opcode ID: 71dfb261d9fd836fd7f0068f1150b946d067d1891a4b52393b0335abde82cc52
Instruction ID: 8685c32a923c86c36b6fb03fb709b77b47f8899c70fcb2f918e6e30a663ddb20
Opcode Fuzzy Hash: 71dfb261d9fd836fd7f0068f1150b946d067d1891a4b52393b0335abde82cc52
Instruction Fuzzy Hash: 1F312760B58A4C1BE21C61596C0EA3736CEC79B716F10426FE88EC72D7DC519C8341AB

Analysis Process: rundll32.exePID: 7380, Parent PID: 7352COMMON

Execution Graph

Execution Coverage:	60.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000019540F000F1 Relevance: 15.1, APIs: 6, Strings: 2, Instructions: 1135
networkprocesslibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000019540F00123
WSAStartup.WS2_32 ref: 0000019540F00134
WSASocketA.WS2_32(00000000,00000000), ref: 0000019540F00150
connect.WS2_32 ref: 0000019540F00165
CreateProcessA.KERNELBASE ref: 0000019540F001BA
ExitProcess.KERNEL32 ref: 0000019540F001F1

Strings

cmd, xrefs: 0000019540F0016F
ws2_, xrefs: 0000019540F000F3

Memory Dump Source

Source File: 00000004.00000002.1643975129.0000019540F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019540F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_19540f00000_rundll32.jbxd

Yara matches

Similarity

API ID: Process$CreateExitLibraryLoadSocketStartupconnect
String ID: cmd$ws2_
API String ID: 1708454136-3237529508
Opcode ID: 71dfb261d9fd836fd7f0068f1150b946d067d1891a4b52393b0335abde82cc52
Instruction ID: 051610d3d6727538a9839e9c0f7bfa95b584518320dbbd796d4df50366874b46
Opcode Fuzzy Hash: 71dfb261d9fd836fd7f0068f1150b946d067d1891a4b52393b0335abde82cc52
Instruction Fuzzy Hash: 6C31E561B58A8C2BE21D61696C0E93736CEC79B715F10417FE98AC7296EC509C8341AB

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 7300, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7308, Parent PID: 7300

Windows Analysis Report
SecuriteInfo.com.Win64.MetasploitEncod-B.26495.10712.dll

Function 0000014ECF5100F1 Relevance: 15.1, APIs: 6, Strings: 2, Instructions: 1135
networkprocesslibraryCOMMON

Function 00007FFE126D1460 Relevance: 1.3, APIs: 1, Instructions: 51
memoryCOMMON

Function 00007FFE126D1370 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40
libraryloaderCOMMON

Function 00007FFE126D16B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115
COMMON

Function 00007FFE126D1010 Relevance: 6.1, APIs: 4, Instructions: 107
sleepCOMMON

Function 00000251F17700F1 Relevance: 15.1, APIs: 6, Strings: 2, Instructions: 1135
networkprocesslibraryCOMMON

Function 0000019540F000F1 Relevance: 15.1, APIs: 6, Strings: 2, Instructions: 1135
networkprocesslibraryCOMMON