Source: 00000000.00000002.1653761887.0000000000500000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Metasploit {"Type": "Shell Reverse Tcp", "IP": "188.166.177.132", "Port": 443} |
Source: m8ufsTLLOU.exe |
ReversingLabs: Detection: 84% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.7% probability |
Source: m8ufsTLLOU.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: m8ufsTLLOU.exe |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 4x nop then sti |
0_2_004048F9 |
Source: Joe Sandbox View |
ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.177.132 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.177.132 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.177.132 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.177.132 |
Source: m8ufsTLLOU.exe |
String found in binary or memory: http://www.apache.org/ |
Source: m8ufsTLLOU.exe |
String found in binary or memory: http://www.apache.org/licenses/LICEN |
Source: m8ufsTLLOU.exe |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: m8ufsTLLOU.exe |
String found in binary or memory: http://www.zeustech.net/ |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: 00000000.00000002.1653761887.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: m8ufsTLLOU.exe, 00000000.00000000.1652085355.0000000000415000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameab.exeF vs m8ufsTLLOU.exe |
Source: m8ufsTLLOU.exe |
Binary or memory string: OriginalFilenameab.exeF vs m8ufsTLLOU.exe |
Source: m8ufsTLLOU.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: 00000000.00000002.1653761887.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23 |
Source: m8ufsTLLOU.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal96.troj.winEXE@4/0@0/1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_03 |
Source: m8ufsTLLOU.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: m8ufsTLLOU.exe |
ReversingLabs: Detection: 84% |
Source: unknown |
Process created: C:\Users\user\Desktop\m8ufsTLLOU.exe "C:\Users\user\Desktop\m8ufsTLLOU.exe" |
|
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd |
Jump to behavior |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: winbrand.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: m8ufsTLLOU.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: m8ufsTLLOU.exe |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_004060E5 push ebp; retn 0008h |
0_2_004061F2 |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_0040809E push ss; ret |
0_2_0040809F |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_004080BF push edx; ret |
0_2_004080CA |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_00402D51 push ebp; retf |
0_2_00402D5B |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_0040617D push ebp; retn 0008h |
0_2_004061F2 |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_0040758D push ebp; iretd |
0_2_00407626 |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_00406197 push ebp; retn 0008h |
0_2_004061F2 |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_00409340 push ebx; ret |
0_2_004092E7 |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_00409340 push esi; iretd |
0_2_00409412 |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_00401B5B push ss; ret |
0_2_00401B67 |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_00404764 push eax; ret |
0_2_00404777 |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Code function: 0_2_00405BCC push edx; retn 0073h |
0_2_00405BD3 |
Source: m8ufsTLLOU.exe |
Static PE information: section name: .text entropy: 7.0313797670833535 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: m8ufsTLLOU.exe, 00000000.00000002.1653853497.000000000070E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\m8ufsTLLOU.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.1653761887.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: m8ufsTLLOU.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.m8ufsTLLOU.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.m8ufsTLLOU.exe.400000.0.unpack, type: UNPACKEDPE |