Windows Analysis Report
Ydpdt8Efff.exe

Overview

General Information

Sample name:	Ydpdt8Efff.exe renamed because original name is a hash value
Original sample name:	039aebb1a469963963e34d31a42e6608.exe
Analysis ID:	1417246
MD5:	039aebb1a469963963e34d31a42e6608
SHA1:	6a60e11aa5949ab9fd861397879e2b6649292e2b
SHA256:	5cad07e8a93e151126f2668e4acd40bfb6a6c136720868e1abb88d6ce855488b
Tags:	exe
Infos:

Detection

Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

Machine Learning detection for sample

Sigma detected: Potentially Suspicious Malware Callback Communication

Detected TCP or UDP traffic on non-standard ports

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ydpdt8Efff.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2930971142.00000000004C0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "91.92.251.119", "Port": 4444}

Multi AV Scanner detection for submitted file

Source: Ydpdt8Efff.exe

ReversingLabs: Detection: 81%

Machine Learning detection for sample

Source: Ydpdt8Efff.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: Ydpdt8Efff.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Ydpdt8Efff.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 4x nop then and dl, byte ptr [eax-6FA86FF7h]		0_2_004056E0
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 4x nop then push ebp		0_2_004056E0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 91.92.251.119:4444

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: THEZONEBG THEZONEBG

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.119

Source: Ydpdt8Efff.exe	String found in binary or memory: http://www.apache.org/
Source: Ydpdt8Efff.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Ydpdt8Efff.exe	String found in binary or memory: http://www.zeustech.net/

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2930971142.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown

Sample file is different than original file name gathered from version info

Source: Ydpdt8Efff.exe, 00000000.00000002.2930932267.0000000000415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameab.exeF vs Ydpdt8Efff.exe
Source: Ydpdt8Efff.exe	Binary or memory string: OriginalFilenameab.exeF vs Ydpdt8Efff.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Section loaded: mswsock.dll	Jump to behavior

Uses 32bit PE files

Source: Ydpdt8Efff.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2930971142.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23

Source: Ydpdt8Efff.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.winEXE@1/0@0/1

Source: Ydpdt8Efff.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ydpdt8Efff.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ydpdt8Efff.exe

ReversingLabs: Detection: 81%

Source: Ydpdt8Efff.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Ydpdt8Efff.exe

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 0_2_0040124A push eax; ret	0_2_00401253
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 0_2_00404C71 push cs; retf	0_2_00404C8F
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 0_2_00407EC0 push ebp; ret	0_2_00407EC1
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 0_2_004026C0 push 00000050h; retf	0_2_00402776
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 0_2_00401AE2 push eax; ret	0_2_00401AEA
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 0_2_00408370 push edi; ret	0_2_0040837F
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 0_2_00402713 push 00000050h; retf	0_2_00402776
Source: C:\Users\user\Desktop\Ydpdt8Efff.exe	Code function: 0_2_00404B9B push ebx; iretd	0_2_00404B9C

Source: Ydpdt8Efff.exe

Static PE information: section name: .text entropy: 7.02404492702774

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Ydpdt8Efff.exe, 00000000.00000002.2930995962.00000000004FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 00000000.00000002.2930971142.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Ydpdt8Efff.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Ydpdt8Efff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ydpdt8Efff.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.92.251.119	unknown	Bulgaria		34368	THEZONEBG	true

ID:	1417246
Product:	CloudBasic
Start time:	20:09:16
Start date:	28.03.2024
Sample:	Ydpdt8Efff.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	039aebb1a469963963e34d31a42e6608
SHA1:	6a60e11aa5949ab9fd861397879e2b6649292e2b
SHA256:	5cad07e8a93e151126f2668e4acd40bfb6a6c136720868e1abb88d6ce855488b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
Ydpdt8Efff.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report Ydpdt8Efff.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
Ydpdt8Efff.exe