Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Metasploit {"Type": "Metasploit Download", "URL": "http://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i"} |
Source: e90zPYFENm.exe |
ReversingLabs: Detection: 60% |
Source: e90zPYFENm.exe |
Virustotal: Detection: 53% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: e90zPYFENm.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 4x nop then push rbx |
0_2_00007FF71F481C94 |
Source: Malware configuration extractor |
URLs: http://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i |
Source: Joe Sandbox View |
ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 119.45.147.28:443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/ |
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/LzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i |
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/a81-46d0-b6b6-535557bcc5fa |
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i |
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i) |
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365517788.0000022BBCC24000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_iuq |
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/mP% |
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/u |
Source: unknown |
Network traffic detected: HTTP traffic on port 49704 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49717 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49704 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49715 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49713 |
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown |
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown |
Source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F48D860 |
0_2_00007FF71F48D860 |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F48BA50 |
0_2_00007FF71F48BA50 |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F488F00 |
0_2_00007FF71F488F00 |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F483D58 |
0_2_00007FF71F483D58 |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F487D20 |
0_2_00007FF71F487D20 |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F48B550 |
0_2_00007FF71F48B550 |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F48E1F0 |
0_2_00007FF71F48E1F0 |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F4827F0 |
0_2_00007FF71F4827F0 |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_0000022BBCDE0936 |
0_2_0000022BBCDE0936 |
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23 |
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23 |
Source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal80.troj.winEXE@1/0@0/1 |
Source: e90zPYFENm.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: e90zPYFENm.exe |
ReversingLabs: Detection: 60% |
Source: e90zPYFENm.exe |
Virustotal: Detection: 53% |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: e90zPYFENm.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: e90zPYFENm.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH |
Source: e90zPYFENm.exe |
Static PE information: section name: .xdata |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
API coverage: 5.6 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Last function: Thread delayed |
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWp |
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365517788.0000022BBCC24000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365517788.0000022BBCC24000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWQC |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\e90zPYFENm.exe |
Code function: 0_2_00007FF71F481180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, |
0_2_00007FF71F481180 |
Source: Yara match |
File source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |