MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fdcd7983076fde019d68d43cd237d65b6036e3fc4aba49c2fc06ca2bf7ef2a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Meterpreter

Vendor detections: 12

Intelligence 12 IOCs YARA 13 File information Comments

SHA256 hash:	0fdcd7983076fde019d68d43cd237d65b6036e3fc4aba49c2fc06ca2bf7ef2a3
SHA3-384 hash:	69ebe0bcf8cc727dee4bdbb8f4016bea1ba73c9877ae055191838346c3f9d9a4348ea6403e0124092ecb1bd311552d92
SHA1 hash:	ab3d84b39843edb23daa60d2071f86e52c14a191
MD5 hash:	b270508a8a3eb5dfe22df76f3cf59f3f
humanhash:	sink-winter-princess-pluto
File name:	b270508a8a3eb5dfe22df76f3cf59f3f.exe
Download:	download sample
Signature	Meterpreter Create hunting rule
File size:	1'266'688 bytes
First seen:	2023-07-16 07:40:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:yvflz2QUhWN9xk6lios8tErp+I1oUnTsRTh1MdtTQnA:DhWRFI91qpRN1MdtTN
Threatray	72 similar samples on MalwareBazaar
TLSH	T14A45227E6AAC5FE2C3AE06BA40D31F416778411846C7E30F845409FDD9613EBAE2295F
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe Meterpreter

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://24.199.83.51/userinit3.exe

Verdict:

No threats detected

Analysis date:

2023-07-10 01:58:56 UTC

Tags:

loader

Link:

https://app.any.run/tasks/dd00400b-4f2d-46ce-a00e-fb61efc922f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/420983/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.68095339.18386.15611.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cobaltstrike net obfuscated packed packed

Link:

https://www.filescan.io/uploads/64b39f0ff52c3e1a01497aae/reports/d63f75a6-d417-4709-9e56-c49a27a4900a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/0fdcd7983076fde019d68d43cd237d65b6036e3fc4aba49c2fc06ca2bf7ef2a3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Meterpreter

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e87dab0-61c6-4d1b-bda5-b28aa5ba32ca

Result

Threat name:

Meterpreter

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1273882

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to inject threads in other processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Meterpreter

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0fdcd7983076fde019d68d43cd237d65b6036e3fc4aba49c2fc06ca2bf7ef2a3/

Threat name:

Win32.Backdoor.Meterpreter

Status:

Malicious

First seen:

2023-07-10 05:00:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b7onpgbqo366agowrvb42i35mw3ag3r7ysv2jhbpybwkfp366krq._file

Verdict:

malicious

Meterpreter

4419d9d313d27a7e0b150af9cc38a3b24b47c9594c53daf00692db5ab0c5d968

Meterpreter

46e73b35907bea5ffc06d2c8c9b1e32b12896dcfde636b80e7c004a263ce18bf

Meterpreter

7edae5c55be343db06651111ab65397976fea091b66b8bfeb9e50a1a17c8663a

Meterpreter

9f1375f542db420157e7f2aa92a3ff1b1a4e4bf51cf37808ad93ddb1cbb3493d

Meterpreter

a3c9afd38101d1d6d06ea9e2cffc6b3aeecc46376057c4de56c48645ab62276a

Meterpreter

be3c033ff5bf0df0698deac5b06866d7a0f59767bd51e2afa0da6d4960eafd08

Meterpreter

fbf207e26ad004abf2ba23ac30ae3658fb9d68965f2eba9407407f7e04b16a6c

Meterpreter

+ 62 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230716-jh57csdb34/

Unpacked files

SH256 hash:

0fdcd7983076fde019d68d43cd237d65b6036e3fc4aba49c2fc06ca2bf7ef2a3

MD5 hash:

b270508a8a3eb5dfe22df76f3cf59f3f

SHA1 hash:

ab3d84b39843edb23daa60d2071f86e52c14a191

Link:

https://www.unpac.me/results/a9bd6c52-ea97-4062-9200-deb8e47e9e66/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0fdcd7983076fde019d68d43cd237d65b6036e3fc4aba49c2fc06ca2bf7ef2a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Lazarus_Loader_Dec_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect loader used by Lazarus group in december 2020
Reference:	Internal Research

Rule name:	HKTL_NET_GUID_UrbanBishopLocal Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects c# red/black-team tools via typelibguid
Reference:	https://github.com/slyd0g/UrbanBishopLocal

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_Meterpreter Create hunting rule
Author:	ditekSHen
Description:	Detects Meterpreter payload

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Tool_EFSPotatoe_Aug_2021_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect EFSPotatoe tool (Generic rule)
Reference:	Internal Research

Rule name:	Windows_Trojan_Metasploit_38b8ceec Create hunting rule
Author:	Elastic Security
Description:	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Author:	Elastic Security
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Author:	Elastic Security
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm