Windows Analysis Report
cHZiG7fsJb.exe

Overview

General Information

Sample name: cHZiG7fsJb.exe
renamed because original name is a hash value
Original sample name: d7d2985f5828632f9c89712a4a194424.exe
Analysis ID: 1541862
MD5: d7d2985f5828632f9c89712a4a194424
SHA1: bb138c3d9f957b63662907807b6840ac0d08f0bb
SHA256: bf86d7f3c6ab2587b7b19de58e2e07bae52de1afa7f592e1ae37c557fd5182fa
Tags: 32exetrojan
Infos:

Detection

Metasploit
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Machine Learning detection for sample
Detected TCP or UDP traffic on non-standard ports
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: cHZiG7fsJb.exe Avira: detected
Found malware configuration
Source: cHZiG7fsJb.exe Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "212.192.213.56", "Port": 4488}
Multi AV Scanner detection for submitted file
Source: cHZiG7fsJb.exe ReversingLabs: Detection: 87%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: cHZiG7fsJb.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: cHZiG7fsJb.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: cHZiG7fsJb.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 4x nop then pop esp 0_2_00401E74
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 4x nop then fxch4 st(6) 0_2_00406740
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 212.192.213.56:4488
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LIVECOMM-ASRespublikanskayastr3k6RU LIVECOMM-ASRespublikanskayastr3k6RU
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.213.56
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_00590095 WSASocketA,connect,recv,closesocket, 0_2_00590095
Source: cHZiG7fsJb.exe String found in binary or memory: http://www.apache.org/
Source: cHZiG7fsJb.exe String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cHZiG7fsJb.exe String found in binary or memory: http://www.zeustech.net/

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: cHZiG7fsJb.exe, type: SAMPLE Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.0.cHZiG7fsJb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.2.cHZiG7fsJb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.2083738296.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.2083593181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000000.2069743417.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Sample file is different than original file name gathered from version info
Source: cHZiG7fsJb.exe, 00000000.00000002.2083647972.0000000000415000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameab.exeF vs cHZiG7fsJb.exe
Source: cHZiG7fsJb.exe Binary or memory string: OriginalFilenameab.exeF vs cHZiG7fsJb.exe
Uses 32bit PE files
Source: cHZiG7fsJb.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: cHZiG7fsJb.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.0.cHZiG7fsJb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.2.cHZiG7fsJb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.2083738296.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.2083593181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000000.2069743417.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: cHZiG7fsJb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal96.troj.winEXE@1/0@0/1
Source: cHZiG7fsJb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cHZiG7fsJb.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Section loaded: mswsock.dll Jump to behavior
Source: cHZiG7fsJb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: cHZiG7fsJb.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_00404477 push eax; ret 0_2_0040454E
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_0040B805 push eax; ret 0_2_0040B86E
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_00405434 push es; iretd 0_2_00405435
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_004042A8 push 0040EA20h; retf 0_2_004042C8
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_00404505 push eax; ret 0_2_0040454E
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_00406F1E push 0000005Dh; retn 0014h 0_2_00406F2D
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_00405721 pushfd ; ret 0_2_00405722
Source: C:\Users\user\Desktop\cHZiG7fsJb.exe Code function: 0_2_00406D3F push es; ret 0_2_00406D45
Source: cHZiG7fsJb.exe Static PE information: section name: .text entropy: 7.024280591711365
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: cHZiG7fsJb.exe, 00000000.00000002.2083767995.000000000064E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: cHZiG7fsJb.exe, type: SAMPLE
Source: Yara match File source: 0.0.cHZiG7fsJb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cHZiG7fsJb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2083738296.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2083593181.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2069743417.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541862 Sample: cHZiG7fsJb.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 96 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 4 other signatures 2->16 5 cHZiG7fsJb.exe 2->5         started        process3 dnsIp4 8 212.192.213.56, 4488, 49704, 49705 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.192.213.56
 unknown Russian Federation
49558 LIVECOMM-ASRespublikanskayastr3k6RU true