Windows Analysis Report
e90zPYFENm.exe

Overview

General Information

Sample name: e90zPYFENm.exe
renamed because original name is a hash value
Original sample name: 4ef776934710c9c4f067287fe73f1c94902d9290f0e40e7da83629589c4510aa.exe
Analysis ID: 1502168
MD5: 94807b134058d14399767d8f5d84a5d5
SHA1: b01a404085091bd567e9c129baecf8230ccbfc46
SHA256: 4ef776934710c9c4f067287fe73f1c94902d9290f0e40e7da83629589c4510aa
Tags: 119-45-147-28exe
Infos:

Detection

Metasploit
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Metasploit {"Type": "Metasploit Download", "URL": "http://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i"}
Multi AV Scanner detection for submitted file
Source: e90zPYFENm.exe ReversingLabs: Detection: 60%
Source: e90zPYFENm.exe Virustotal: Detection: 53% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: e90zPYFENm.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 4x nop then push rbx 0_2_00007FF71F481C94

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49704 -> 119.45.147.28:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 119.45.147.28:443
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: unknown TCP traffic detected without corresponding DNS query: 119.45.147.28
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/LzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/a81-46d0-b6b6-535557bcc5fa
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i)
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365517788.0000022BBCC24000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_iuq
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/mP%
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.45.147.28/u
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F48D860 0_2_00007FF71F48D860
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F48BA50 0_2_00007FF71F48BA50
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F488F00 0_2_00007FF71F488F00
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F483D58 0_2_00007FF71F483D58
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F487D20 0_2_00007FF71F487D20
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F48B550 0_2_00007FF71F48B550
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F48E1F0 0_2_00007FF71F48E1F0
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F4827F0 0_2_00007FF71F4827F0
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_0000022BBCDE0936 0_2_0000022BBCDE0936
Yara signature match
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: classification engine Classification label: mal80.troj.winEXE@1/0@0/1
Source: e90zPYFENm.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\e90zPYFENm.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: e90zPYFENm.exe ReversingLabs: Detection: 60%
Source: e90zPYFENm.exe Virustotal: Detection: 53%
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\e90zPYFENm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: e90zPYFENm.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: e90zPYFENm.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH
PE file contains sections with non-standard names
Source: e90zPYFENm.exe Static PE information: section name: .xdata
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\e90zPYFENm.exe API coverage: 5.6 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\e90zPYFENm.exe Last function: Thread delayed
Source: e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCBEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365517788.0000022BBCC24000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: e90zPYFENm.exe, 00000000.00000002.3304460732.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365517788.0000022BBCC24000.00000004.00000020.00020000.00000000.sdmp, e90zPYFENm.exe, 00000000.00000003.2365454475.0000022BBCC14000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWQC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\e90zPYFENm.exe Code function: 0_2_00007FF71F481180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF71F481180

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: 00000000.00000002.3304629088.0000022BBCE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3304616074.0000022BBCDE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502168 Sample: e90zPYFENm.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 80 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 3 other signatures 2->16 5 e90zPYFENm.exe 2->5         started        process3 dnsIp4 8 119.45.147.28, 443, 49704, 49713 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
119.45.147.28
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://119.45.147.28/cLzHwODM/SM8omDxZewgwWjFYVimA4g64y1JdIzY4ApXywlnL9_kGiyhwOZf2xLuhPjwY_i true
  • Avira URL Cloud: safe
 unknown