Windows Analysis Report
VInxSo1xrN.exe

Overview

General Information

Sample name: VInxSo1xrN.exe
renamed because original name is a hash value
Original sample name: 2a18a597200994af2b1eaa57d789f979.exe
Analysis ID: 1538170
MD5: 2a18a597200994af2b1eaa57d789f979
SHA1: 8c6b392ef200050c0efe99a846aff25f33a3eb37
SHA256: 43c13796f343898e53317703cd4178e7e00efcf8b1aa20ce6a5d349ddca5949e
Tags: 64exeMeterpretertrojan
Infos:

Detection

Metasploit
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Machine Learning detection for sample
Entry point lies outside standard sections
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: VInxSo1xrN.exe Avira: detected
Found malware configuration
Source: VInxSo1xrN.exe Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "188.166.177.132", "Port": 443}
Multi AV Scanner detection for submitted file
Source: VInxSo1xrN.exe ReversingLabs: Detection: 86%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: VInxSo1xrN.exe Joe Sandbox ML: detected
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.177.132
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.177.132
Source: C:\Users\user\Desktop\VInxSo1xrN.exe Code function: 0_2_00000001400040D6 LoadLibraryA,WSASocketA,connect,recv, 0_2_00000001400040D6
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: VInxSo1xrN.exe, type: SAMPLE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: VInxSo1xrN.exe, type: SAMPLE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: VInxSo1xrN.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: VInxSo1xrN.exe, type: SAMPLE Matched rule: Detects Meterpreter stager payload Author: ditekSHen
Source: 0.2.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 0.0.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.0.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.0.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000000.00000000.2035464855.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000000.2035464855.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000000.2035464855.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000000.00000002.3275434407.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3275434407.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3275434407.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Yara signature match
Source: VInxSo1xrN.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: VInxSo1xrN.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: VInxSo1xrN.exe, type: SAMPLE Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: VInxSo1xrN.exe, type: SAMPLE Matched rule: MALWARE_Win_MeterpreterStager author = ditekSHen, description = Detects Meterpreter stager payload
Source: 0.2.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 0.0.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.0.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.0.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000000.00000000.2035464855.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000000.2035464855.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000000.2035464855.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000000.00000002.3275434407.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3275434407.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3275434407.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: classification engine Classification label: mal96.troj.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\VInxSo1xrN.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: VInxSo1xrN.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\VInxSo1xrN.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\VInxSo1xrN.exe Section loaded: mswsock.dll Jump to behavior
Source: VInxSo1xrN.exe Static PE information: Image base 0x140000000 > 0x60000000
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .ewti
PE file contains an invalid checksum
Source: VInxSo1xrN.exe Static PE information: real checksum: 0x525c should be: 0x5414
PE file contains sections with non-standard names
Source: VInxSo1xrN.exe Static PE information: section name: .ewti
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: VInxSo1xrN.exe, 00000000.00000002.3275360351.0000000000466000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: VInxSo1xrN.exe, type: SAMPLE
Source: Yara match File source: 0.2.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.VInxSo1xrN.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2035464855.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3275434407.0000000140004000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538170 Sample: VInxSo1xrN.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 96 10 Found malware configuration 2->10 12 Malicious sample detected (through community Yara rule) 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 4 other signatures 2->16 5 VInxSo1xrN.exe 2->5         started        process3 dnsIp4 8 188.166.177.132, 443, 49704 DIGITALOCEAN-ASNUS Netherlands 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.166.177.132
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true