Edit tour

Windows Analysis Report
123.exe

Overview

General Information

Sample name:	123.exe
Analysis ID:	1586684
MD5:	29fd97e2ce44268ccac3ebc2bd8ed78c
SHA1:	98d3df4d3678f2efd998f62a09ec60166f8b209b
SHA256:	3d6315fa786c82b89db895d8ef45f65eba125b61206d46fe3abbaa7719b85e55
Tags:	Backdoorexemalwaremetasploituser-Joker
Infos:

Detection

Metasploit

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Metasploit Payload

AI detected suspicious sample

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

123.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\123.exe" MD5: 29FD97E2CE44268CCAC3EBC2BD8ED78C)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "47.90.142.15", "Port": 4567}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
123.exe	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
123.exe	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
123.exe	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x73a2:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1697088418.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000000.1697088418.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x63a2:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
00000000.00000002.1838188937.0000000000580000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.1838188937.0000000000580000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0xd8:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x63a2:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.123.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.123.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
0.2.123.exe.400000.0.unpack	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x73a2:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
0.0.123.exe.400000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.0.123.exe.400000.0.unpack	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
0.0.123.exe.400000.0.unpack	Windows_Trojan_Metasploit_4a1c4da8	Identifies Metasploit 64 bit reverse tcp shellcode.	unknown	0x73a2:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 123.exe

Avira: detected

Found malware configuration

Source: 123.exe

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "47.90.142.15", "Port": 4567}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: 123.exe

Joe Sandbox ML: detected

Source: 123.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: 123.exe

Source: C:\Users\user\Desktop\123.exe

Code function: 4x nop then push ebp

0_2_0040317B

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 47.90.142.15:4567

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15
Source: unknown	TCP traffic detected without corresponding DNS query: 47.90.142.15

Source: C:\Users\user\Desktop\123.exe

Code function: 0_2_00580095 WSASocketA,connect,recv,closesocket,

0_2_00580095

Source: 123.exe	String found in binary or memory: http://www.apache.org/
Source: 123.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 123.exe	String found in binary or memory: http://www.zeustech.net/

System Summary

Malicious sample detected (through community Yara rule)

Source: 123.exe, type: SAMPLE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.2.123.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 0.0.123.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000000.1697088418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.1838188937.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
Source: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown

Source: 123.exe, 00000000.00000002.1838124548.0000000000415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameab.exeF vs 123.exe
Source: 123.exe	Binary or memory string: OriginalFilenameab.exeF vs 123.exe

Source: 123.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 123.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.2.123.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 0.0.123.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000000.1697088418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.1838188937.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
Source: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23

Source: 123.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal88.troj.winEXE@1/0@0/1

Source: 123.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\123.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\123.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\123.exe	Section loaded: mswsock.dll	Jump to behavior

Source: 123.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: 123.exe

Source: C:\Users\user\Desktop\123.exe	Code function: 0_2_00406076 push ebx; ret	0_2_0040607E
Source: C:\Users\user\Desktop\123.exe	Code function: 0_2_00404CEC push esi; ret	0_2_00404CF0
Source: C:\Users\user\Desktop\123.exe	Code function: 0_2_00405298 push esi; ret	0_2_004052A6
Source: C:\Users\user\Desktop\123.exe	Code function: 0_2_00402D52 push ebp; retf	0_2_00402D53
Source: C:\Users\user\Desktop\123.exe	Code function: 0_2_0040216C push edx; ret	0_2_00402173
Source: C:\Users\user\Desktop\123.exe	Code function: 0_2_00402F79 push 0040D542h; ret	0_2_00402F7F

Source: 123.exe

Static PE information: section name: .text entropy: 7.018080580865138

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 123.exe, 00000000.00000002.1838281442.00000000007FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\123.exe

Code function: 0_2_004043A4 _iob,GetSystemTimeAsFileTime,_iob,

0_2_004043A4

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 123.exe, type: SAMPLE
Source: Yara match	File source: 0.2.123.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.123.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1697088418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1838188937.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Software Packing	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
123.exe	100%	Avira	TR/Patched.Gen2
123.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	123.exe	false	high
http://www.apache.org/	123.exe	false	high
http://www.zeustech.net/	123.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.90.142.15	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586684
Start date and time:	2025-01-09 14:14:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	123.exe
Detection:	MAL
Classification:	mal88.troj.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 3 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 123.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	arm7.elf	Get hash	malicious	Mirai	Browse	8.222.72.249
	ppc.elf	Get hash	malicious	Mirai	Browse	8.219.224.17
	spc.elf	Get hash	malicious	Mirai	Browse	8.220.214.139
	3.elf	Get hash	malicious	Unknown	Browse	147.139.100.19
	2362476847-83854387.07.exe	Get hash	malicious	Nitol	Browse	8.210.66.183
	2o63254452-763487230.06.exe	Get hash	malicious	Nitol	Browse	47.243.243.58
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	47.246.131.51
	e2664726330-76546233.05.exe	Get hash	malicious	Nitol	Browse	8.217.59.73
	ntpd.elf	Get hash	malicious	Unknown	Browse	8.210.201.184
	miori.spc.elf	Get hash	malicious	Unknown	Browse	47.251.104.78

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.320776121400298
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	123.exe
File size:	73'802 bytes
MD5:	29fd97e2ce44268ccac3ebc2bd8ed78c
SHA1:	98d3df4d3678f2efd998f62a09ec60166f8b209b
SHA256:	3d6315fa786c82b89db895d8ef45f65eba125b61206d46fe3abbaa7719b85e55
SHA512:	6928cb2c1c0a472b009e6310aedaca572027f96c42d39733b9be9b7adfee6ad39e7c1e0ecc664d865cec1618b383f79baeae20be386ba76d30e3f992b76a92e2
SSDEEP:	1536:ITfrMsjvjon5DWEOioEbMb+KR0Nc8QsJq39:afrZ85KEOTae0Nc8QsC9
TLSH:	E073BF42EDC01431D1E2133E26B63776A971F5FA2605C29A7A8CCEE5DBD18B076363C6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L....a8J...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x409549
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4A3861A3 [Wed Jun 17 03:23:15 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	481f47bbb2c9c21e108d65f52b04c448

Entrypoint Preview

Instruction
cwde
das
stc
aaa
lahf
daa
cdq
inc ecx
dec edx
lahf
clc
dec edx
dec ebx
dec eax
das
inc ebx
inc edx
daa
nop
dec ecx
aaa
inc eax
cld
clc
lahf
stc
inc ecx
dec eax
dec eax
cdq
inc ecx
inc edx
inc ecx
cmc
inc eax
cld
cld
cld
das
stc
nop
daa
cdq
xchg eax, ebx
wait
cld
dec ecx
aaa
inc edx
std
aas
cdq
cdq
cdq
cwde
nop
nop
das
cdq
dec ebx
aaa
aaa
inc edx
clc
inc ecx
aas
xchg eax, ebx
dec ecx
dec edx
salc
aas
salc
std
inc ebx
cwde
xchg eax, ebx
cwde
xchg eax, ecx
clc
std
dec ecx
nop
dec ecx
wait
stc
cwde
cld
nop
aaa
dec ecx
xchg eax, edx
inc eax
wait
daa
inc ecx
cld
wait
stc
wait
clc
stc
das
dec eax
std
lahf
dec edx
das
std
nop
cwde
dec ebx
stc
lahf
cmc
inc edx
dec ebx
cmc
lahf
dec ebx
aaa
inc ebx
inc eax
stc
aas
dec ecx
cdq
aas
stc
salc
std
wait
aas
inc eax
daa
clc
das
dec ecx
dec eax
nop
cdq
dec edx
cmc
cwde
cdq
cdq
clc
nop
dec ecx
stc
inc edx
cdq
dec ebx
inc eax
inc ebx
xchg eax, edx
inc ecx
dec edx
daa
clc
std
xchg eax, edx
dec ecx
cwde
stc
dec ebx
xchg eax, ebx
inc eax
xchg eax, ecx
dec edx
salc
lahf
inc edx
inc ebx
std
dec eax
aaa
dec ebx
stc
std
inc edx
cld
salc
daa
nop
nop
das
inc ecx
cdq
dec ebx
inc ecx
wait
dec ecx
aas
cdq
xchg eax, ebx
dec eax
nop
das
cwde

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x7c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa966	0xb000	a0bedb5e20d760bfad2de21d0d9c513c	False	0.8174272017045454	data	7.018080580865138	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0xfe6	0x1000	25d7ceee3aa85bb3e8c5174736f6f830	False	0.46142578125	DOS executable (COM, 0x8C-variant)	5.318390353744998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x705c	0x4000	283b5f792323d57b9db4d2bcc46580f8	False	0.25634765625	Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 0	4.407841023203495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x15000	0x7c8	0x1000	c13a9413aea7291b6fc85d75bfcde381	False	0.197998046875	data	1.958296025171192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x15060	0x768	data	English	United States	0.40189873417721517

Imports

DLL	Import
MSVCRT.dll	_iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp
KERNEL32.dll	PeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid
WSOCK32.dll	getsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError
WS2_32.dll	WSARecv, WSASend

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:15:03.244247913 CET	49730	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:03.249314070 CET	4567	49730	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:03.249406099 CET	49730	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:04.649593115 CET	4567	49730	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:04.649673939 CET	49730	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:04.650127888 CET	49730	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:04.650875092 CET	49731	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:04.655050993 CET	4567	49730	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:04.655872107 CET	4567	49731	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:04.655973911 CET	49731	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:06.056557894 CET	4567	49731	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:06.056698084 CET	49731	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:06.057143927 CET	49731	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:06.058145046 CET	49732	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:06.061992884 CET	4567	49731	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:06.063196898 CET	4567	49732	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:06.063311100 CET	49732	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:07.458589077 CET	4567	49732	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:07.458659887 CET	49732	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:07.459115982 CET	49732	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:07.460030079 CET	49733	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:07.464739084 CET	4567	49732	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:07.465361118 CET	4567	49733	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:07.465434074 CET	49733	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:08.850204945 CET	4567	49733	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:08.850558996 CET	49733	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:08.850795031 CET	49733	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:08.851736069 CET	49734	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:08.855863094 CET	4567	49733	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:08.856760979 CET	4567	49734	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:08.856868029 CET	49734	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:10.284117937 CET	4567	49734	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:10.284327984 CET	49734	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:10.284651995 CET	49734	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:10.285443068 CET	49735	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:10.289511919 CET	4567	49734	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:10.290448904 CET	4567	49735	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:10.290538073 CET	49735	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:11.677795887 CET	4567	49735	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:11.678066969 CET	49735	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:11.678390980 CET	49735	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:11.679287910 CET	49736	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:11.683288097 CET	4567	49735	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:11.684180021 CET	4567	49736	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:11.684273958 CET	49736	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:13.086818933 CET	4567	49736	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:13.086889029 CET	49736	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:13.091640949 CET	49736	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:13.095860958 CET	49737	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:13.096421003 CET	4567	49736	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:13.100729942 CET	4567	49737	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:13.100807905 CET	49737	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:14.489824057 CET	4567	49737	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:14.489913940 CET	49737	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:14.490336895 CET	49737	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:14.491205931 CET	49738	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:14.495141983 CET	4567	49737	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:14.496047974 CET	4567	49738	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:14.496114016 CET	49738	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:15.903064013 CET	4567	49738	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:15.903223038 CET	49738	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:15.903949976 CET	49738	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:15.905342102 CET	49739	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:15.909018993 CET	4567	49738	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:15.910198927 CET	4567	49739	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:15.910329103 CET	49739	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:17.304220915 CET	4567	49739	47.90.142.15	192.168.2.4
Jan 9, 2025 14:15:17.304291010 CET	49739	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:17.304886103 CET	49739	4567	192.168.2.4	47.90.142.15
Jan 9, 2025 14:15:17.309608936 CET	4567	49739	47.90.142.15	192.168.2.4

Target ID:	0
Start time:	08:15:01
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\123.exe"
Imagebase:	0x400000
File size:	73'802 bytes
MD5 hash:	29FD97E2CE44268CCAC3EBC2BD8ED78C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000000.1697088418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000000.1697088418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1838188937.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000002.1838188937.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	28.1%
Signature Coverage:	25%
Total number of Nodes:	32
Total number of Limit Nodes:	4

Executed Functions

Function 00580095 Relevance: 6.1, APIs: 4, Instructions: 81
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,D7110002,0F8E5A2F,0000000A,?,?,5F327377,00003233), ref: 005800D5
connect.WS2_32(6174A599,?,?,00000010,?,?,5F327377,00003233), ref: 005800E1
recv.WS2_32(5FC8D902,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 005800FC
closesocket.WS2_32(614D6E75,?,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 0058013F

Memory Dump Source

Source File: 00000000.00000002.1838188937.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_123.jbxd

Yara matches

Similarity

API ID: Socketclosesocketconnectrecv
String ID:
API String ID: 2083937939-0
Opcode ID: ebbf11e68accb987665bedca96f9ea2eef18cedb17714efbf073221ae0e9da29
Instruction ID: ce65153fd78353c4bec281bae0ed17fa41a8aeace11b0018f68d8f001d8ae87f
Opcode Fuzzy Hash: ebbf11e68accb987665bedca96f9ea2eef18cedb17714efbf073221ae0e9da29
Instruction Fuzzy Hash: E411ADB07812587EF57032A29C4BFBB2D1CEF42BA4F500424BF45FA0C1C9829C4882FA

Function 00407177 Relevance: 1.3, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 004071A8

Memory Dump Source

Source File: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1838058999.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838090618.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838105910.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838124548.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_123.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bbe54f4ed8a20c600ad75c04fe77680d607c93ac925b51e2ba08807e894f0480
Instruction ID: 5b231865590b577aca64c6a58d33b022d1fbc9bb76de5855a0ed113413e47a4d
Opcode Fuzzy Hash: bbe54f4ed8a20c600ad75c04fe77680d607c93ac925b51e2ba08807e894f0480
Instruction Fuzzy Hash: EDF0F928F9E2449AC524B5354C81BB56615975B380F2435BF75057E3C7C8797803115F

Function 00407170 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(E553A458,00000000,00000162,00001000,00000040), ref: 004071A8

Memory Dump Source

Source File: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1838058999.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838090618.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838105910.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838124548.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_123.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c94fd77ef40290532eb7d861cbb86d1646b0e9411ad931b8f465837d36ddf9a4
Instruction ID: a26b178cd4858426eba1dda4830d4ea24c51ac4d8efeb47256560bd74cd9418e
Opcode Fuzzy Hash: c94fd77ef40290532eb7d861cbb86d1646b0e9411ad931b8f465837d36ddf9a4
Instruction Fuzzy Hash: FAF05428FDF244D6C52461650C85BF6514A579B751E2035BB790A7E3C7C8BCB803215F

Non-executed Functions

Function 004043A4 Relevance: 3.8, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'application/x-www-form-urlencoded', xrefs: 004043BD
-C attribute Add cookie, eg. 'Apache=1234. (repeatable), xrefs: 00404445
-w Print out results in HTML tables, xrefs: 004043EF

Memory Dump Source

Source File: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1838058999.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838090618.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838105910.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838124548.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_123.jbxd

Yara matches

Similarity

API ID:
String ID: 'application/x-www-form-urlencoded'$ -C attribute Add cookie, eg. 'Apache=1234. (repeatable)$ -w Print out results in HTML tables
API String ID: 0-3129442784
Opcode ID: 1a4e525a60c471288877c48bc56cef322ca26e8aee77600da94489166d97fbf2
Instruction ID: 8617cb6a553737b242ce1959ec9ba86a48a66a3e74b7f2eb9a9ea670186a4625
Opcode Fuzzy Hash: 1a4e525a60c471288877c48bc56cef322ca26e8aee77600da94489166d97fbf2
Instruction Fuzzy Hash: 4B017672A292C1CFD304A3B4DCD5B24BBA0EB02300B6182EBC293832C2C77CC546CB15

Function 0040317B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1838074048.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1838058999.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838090618.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838105910.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1838124548.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_123.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee4113159bf91ec45ed4cc59ea63054c976cc8e75deeb05fd6a8a3c5e1fa1ba
Instruction ID: d31d71394359bd72904e27ded841780d0ce4ae2cf1015a8ea91c16141a9ae1f3
Opcode Fuzzy Hash: 2ee4113159bf91ec45ed4cc59ea63054c976cc8e75deeb05fd6a8a3c5e1fa1ba
Instruction Fuzzy Hash: 72014932A085414BE728AD1CB8C04A5FF69FA4633A31417BFD814EF2C3C636E586829C

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 123.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
123.exe

Function 00580095 Relevance: 6.1, APIs: 4, Instructions: 81
networkCOMMON

Function 00407177 Relevance: 1.3, APIs: 1, Instructions: 59
memoryCOMMON

Function 00407170 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Function 004043A4 Relevance: 3.8, Strings: 3, Instructions: 45
COMMON