Windows Analysis Report
eJeQNTcb4A.exe

Overview

General Information

Sample name: eJeQNTcb4A.exe
renamed because original name is a hash value
Original sample name: ef734216083e11283bcf66e631014748.exe
Analysis ID: 1538173
MD5: ef734216083e11283bcf66e631014748
SHA1: 31df8208dc92d0f31e4e56300f0fb673e5a55fa5
SHA256: f83382863ccd22a340325055ad63a04e7a9aab147dd8526a508a6f1cbc646b2b
Tags: 32exetrojan
Infos:

Detection

Metasploit
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Machine Learning detection for sample
Creates a process in suspended mode (likely to inject code)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: eJeQNTcb4A.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2016564869.0000000000590000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Metasploit {"Type": "Shell Reverse Tcp", "IP": "188.166.177.132", "Port": 443}
Multi AV Scanner detection for submitted file
Source: eJeQNTcb4A.exe ReversingLabs: Detection: 84%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.7% probability
Machine Learning detection for sample
Source: eJeQNTcb4A.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: eJeQNTcb4A.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: eJeQNTcb4A.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 4x nop then mov dword ptr [eax+55F79090h], edx 0_2_00404A4B
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 4x nop then enter 308Bh, 83h 0_2_00404CD8
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 4x nop then push ebp 0_2_00408680
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 4x nop then mov eax, dword ptr [A151EC8Bh] 0_2_00404553
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 4x nop then push ebp 0_2_00405F19
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 4x nop then xor eax, 90909090h 0_2_004045E8
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 4x nop then push ebp 0_2_00408780
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.177.132
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.177.132
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.177.132
Source: eJeQNTcb4A.exe String found in binary or memory: http://www.apache.org/
Source: eJeQNTcb4A.exe String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: eJeQNTcb4A.exe String found in binary or memory: http://www.zeustech.net/
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2016564869.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Sample file is different than original file name gathered from version info
Source: eJeQNTcb4A.exe, 00000000.00000000.2013923668.0000000000415000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameab.exeF vs eJeQNTcb4A.exe
Source: eJeQNTcb4A.exe Binary or memory string: OriginalFilenameab.exeF vs eJeQNTcb4A.exe
Uses 32bit PE files
Source: eJeQNTcb4A.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2016564869.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: eJeQNTcb4A.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal96.troj.winEXE@4/0@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
Source: eJeQNTcb4A.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: eJeQNTcb4A.exe ReversingLabs: Detection: 84%
Source: unknown Process created: C:\Users\user\Desktop\eJeQNTcb4A.exe "C:\Users\user\Desktop\eJeQNTcb4A.exe"
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd Jump to behavior
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: eJeQNTcb4A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: eJeQNTcb4A.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 0_2_00406810 push ebp; retf 0_2_00406811
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 0_2_00407495 push ebp; retf 0_2_00407496
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 0_2_004018A4 push eax; iretd 0_2_004018D0
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 0_2_0040B540 pushfd ; retn 0010h 0_2_0040B637
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 0_2_00401321 push eax; ret 0_2_00401326
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Code function: 0_2_0040B5B1 pushfd ; retn 0010h 0_2_0040B637
Source: eJeQNTcb4A.exe Static PE information: section name: .text entropy: 7.030657884174903
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: eJeQNTcb4A.exe, 00000000.00000002.2016609062.000000000061E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\eJeQNTcb4A.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd Jump to behavior

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: 00000000.00000002.2016564869.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: eJeQNTcb4A.exe, type: SAMPLE
Source: Yara match File source: 0.2.eJeQNTcb4A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.eJeQNTcb4A.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538173 Sample: eJeQNTcb4A.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 96 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 4 other signatures 2->22 7 eJeQNTcb4A.exe 2->7         started        process3 dnsIp4 14 188.166.177.132, 443, 49704 DIGITALOCEAN-ASNUS Netherlands 7->14 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.166.177.132
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true