Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Avira: detected |
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "219.150.121.100", "Port": 4449} |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
ReversingLabs: Detection: 55% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.9% probability |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1215740 FindFirstFileExW, |
0_2_00007FF6E1215740 |
Source: global traffic |
TCP traffic: 192.168.2.5:49718 -> 219.150.121.100:4449 |
Source: Joe Sandbox View |
ASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 219.150.121.100 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_0000025959553438 LoadLibraryA,WSASocketA,connect,recv,closesocket, |
0_2_0000025959553438 |
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E121A2C8 |
0_2_00007FF6E121A2C8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1213E1C |
0_2_00007FF6E1213E1C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1215510 |
0_2_00007FF6E1215510 |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe, 00000000.00000000.2141100714.00007FF6E1243000.00000008.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamepython.exe. vs SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe, 00000000.00000002.3381339156.00007FF6E1243000.00000004.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamepython.exe. vs SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Binary or memory string: OriginalFilenamepython.exe. vs SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04 |
Source: classification engine |
Classification label: mal84.troj.winEXE@1/0@0/1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1211190 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, |
0_2_00007FF6E1211190 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1211310 FindResourceW,FindResourceExW,SizeofResource,LoadResource,LockResource, |
0_2_00007FF6E1211310 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
ReversingLabs: Detection: 55% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1242A00 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, |
0_2_00007FF6E1242A00 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1220F2D push rcx; retf 003Fh |
0_2_00007FF6E1220F2E |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1215740 FindFirstFileExW, |
0_2_00007FF6E1215740 |
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe, 00000000.00000002.3381181364.0000025959569000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1211D58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6E1211D58 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1242A00 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, |
0_2_00007FF6E1242A00 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1217540 GetProcessHeap, |
0_2_00007FF6E1217540 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1211D58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6E1211D58 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1215064 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6E1215064 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1219EA0 cpuid |
0_2_00007FF6E1219EA0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe |
Code function: 0_2_00007FF6E1211C34 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00007FF6E1211C34 |
Source: Yara match |
File source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |