Windows Analysis Report
SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe
Analysis ID: 1521517
MD5: 422bd6b228bc054bd1c22de49f706a0f
SHA1: 4efd522c32541f1e9c60c0183424f28276d5fc02
SHA256: bb6c3e7f98d3b40cb754d80c1de0c7d630c7dafb49c5582740d40cf928ee094b
Tags: exe
Infos:

Detection

Metasploit
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "219.150.121.100", "Port": 4449}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.9% probability
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1215740 FindFirstFileExW, 0_2_00007FF6E1215740
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49718 -> 219.150.121.100:4449
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: unknown TCP traffic detected without corresponding DNS query: 219.150.121.100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_0000025959553438 LoadLibraryA,WSASocketA,connect,recv,closesocket, 0_2_0000025959553438

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E121A2C8 0_2_00007FF6E121A2C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1213E1C 0_2_00007FF6E1213E1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1215510 0_2_00007FF6E1215510
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe, 00000000.00000000.2141100714.00007FF6E1243000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamepython.exe. vs SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe, 00000000.00000002.3381339156.00007FF6E1243000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamepython.exe. vs SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Binary or memory string: OriginalFilenamepython.exe. vs SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe
Yara signature match
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: classification engine Classification label: mal84.troj.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1211190 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, 0_2_00007FF6E1211190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1211310 FindResourceW,FindResourceExW,SizeofResource,LoadResource,LockResource, 0_2_00007FF6E1211310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Section loaded: mswsock.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1242A00 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00007FF6E1242A00
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1220F2D push rcx; retf 003Fh 0_2_00007FF6E1220F2E
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1215740 FindFirstFileExW, 0_2_00007FF6E1215740
Source: SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe, 00000000.00000002.3381181364.0000025959569000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1211D58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6E1211D58
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1242A00 LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00007FF6E1242A00
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1217540 GetProcessHeap, 0_2_00007FF6E1217540
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1211D58 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6E1211D58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1215064 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6E1215064
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1219EA0 cpuid 0_2_00007FF6E1219EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe Code function: 0_2_00007FF6E1211C34 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6E1211C34

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: 00000000.00000002.3381166527.0000025959550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1521517 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 28/09/2024 Architecture: WINDOWS Score: 84 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 3 other signatures 2->16 5 SecuriteInfo.com.Trojan.DownloaderNET.45.17732.20664.exe 2->5         started        process3 dnsIp4 8 219.150.121.100, 4449, 49718, 49728 CHINANET-BACKBONENo31Jin-rongStreetCN China 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
219.150.121.100
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN true