Source: 00000000.00000002.2930971142.00000000004C0000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "91.92.251.119", "Port": 4444} |
Source: Ydpdt8Efff.exe |
ReversingLabs: Detection: 81% |
Source: Ydpdt8Efff.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Ydpdt8Efff.exe |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 4x nop then and dl, byte ptr [eax-6FA86FF7h] |
0_2_004056E0 |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 4x nop then push ebp |
0_2_004056E0 |
Source: global traffic |
TCP traffic: 192.168.2.4:49729 -> 91.92.251.119:4444 |
Source: Joe Sandbox View |
ASN Name: THEZONEBG THEZONEBG |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.92.251.119 |
Source: Ydpdt8Efff.exe |
String found in binary or memory: http://www.apache.org/ |
Source: Ydpdt8Efff.exe |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: Ydpdt8Efff.exe |
String found in binary or memory: http://www.zeustech.net/ |
Source: 00000000.00000002.2930971142.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: Ydpdt8Efff.exe, 00000000.00000002.2930932267.0000000000415000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameab.exeF vs Ydpdt8Efff.exe |
Source: Ydpdt8Efff.exe |
Binary or memory string: OriginalFilenameab.exeF vs Ydpdt8Efff.exe |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: Ydpdt8Efff.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: 00000000.00000002.2930971142.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: Ydpdt8Efff.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal96.troj.winEXE@1/0@0/1 |
Source: Ydpdt8Efff.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Ydpdt8Efff.exe |
ReversingLabs: Detection: 81% |
Source: Ydpdt8Efff.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Ydpdt8Efff.exe |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 0_2_0040124A push eax; ret |
0_2_00401253 |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 0_2_00404C71 push cs; retf |
0_2_00404C8F |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 0_2_00407EC0 push ebp; ret |
0_2_00407EC1 |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 0_2_004026C0 push 00000050h; retf |
0_2_00402776 |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 0_2_00401AE2 push eax; ret |
0_2_00401AEA |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 0_2_00408370 push edi; ret |
0_2_0040837F |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 0_2_00402713 push 00000050h; retf |
0_2_00402776 |
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe |
Code function: 0_2_00404B9B push ebx; iretd |
0_2_00404B9C |
Source: Ydpdt8Efff.exe |
Static PE information: section name: .text entropy: 7.02404492702774 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Ydpdt8Efff.exe, 00000000.00000002.2930995962.00000000004FE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Yara match |
File source: 00000000.00000002.2930971142.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Ydpdt8Efff.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.Ydpdt8Efff.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Ydpdt8Efff.exe.400000.0.unpack, type: UNPACKEDPE |