MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3312ee2ec44c08dd98d55bfc9284997f9f632a62558d8b708576378ebeca622e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Meterpreter

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	3312ee2ec44c08dd98d55bfc9284997f9f632a62558d8b708576378ebeca622e
SHA3-384 hash:	38817dc656c79198ab570f36bd6830e537252cb0d939cec17c06b62d05b8cddbf20e88be8ebe8d4e700373690894fe93
SHA1 hash:	820e1e4adcc6563212793c8e9e65ae3f5e74bf77
MD5 hash:	add607ff23b2b3a3a577f8c115d422ac
humanhash:	romeo-bravo-nebraska-king
File name:	de.bin
Download:	download sample
Signature	Meterpreter Create hunting rule
File size:	7'168 bytes
First seen:	2022-05-19 19:43:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b4c6fff030479aa3b12625be67bf4914 (122 x Meterpreter, 16 x Metasploit, 4 x CobaltStrike)
ssdeep	24:eFGStrJ9u0/6gLnZdkBQAVX56WY+GGKtRqCeNDMSCvOXpmB:is0t3kBQki+hKvSD9C2kB
Threatray	15 similar samples on MalwareBazaar
TLSH	T185E175533B548DB2D87C097D4AD3FDA761999F392B2B8272CD1813172A2212476F4904
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	WhichbufferArda
Tags:	exe Meterpreter

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

de.bin

Verdict:

No threats detected

Analysis date:

2022-05-19 20:00:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/089006e9-671e-4729-877a-8f1b0ed12cc3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/272729/

Detection(s):

SecuriteInfo.com.Crypt_r.AKH.14258.12458.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19005/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

cobalt packed

Link:

https://www.filescan.io/uploads/62869e073ec49f83a6b6f632/reports/e27e951d-6383-45c6-b019-5326e62f84cf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4b941934-21a3-4ecf-a356-5a636bada034

Result

Threat name:

Metasploit, Meterpreter

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998038

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to change the desktop window for a process (likely to hide graphical interactions)

Contains functionality to check if the process is started with administrator privileges

Contains functionality to inject code into remote processes

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Metasploit Payload

Yara detected Meterpreter

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3312ee2ec44c08dd98d55bfc9284997f9f632a62558d8b708576378ebeca622e/

Threat name:

Win64.Backdoor.Meterpreter

Status:

Malicious

First seen:

2021-01-05 03:59:15 UTC

File Type:

PE+ (Exe)

AV detection:

38 of 41 (92.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gmjo4lwejqen3ggvlp6jfbezp6pwgktckwgyw4efoy3y5pwkmixa._file

Verdict:

malicious

Meterpreter

4f4037898d619b3b5f1c9fedd3e3940f46d39a57db2cbf9b4d8238d587fd7168

Meterpreter

593d037e9fd467ebe80cb0ff28d22be2dbc0fdaad4d626ee2ad30707d8ea23da

Meterpreter

89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273

Meterpreter

b03e97cdc9f9ba9f3309b22346ae26863b234181bfc400c06d35de19cdb220e0

Meterpreter

d5fce47c9f644b0cd9d392a93e30bbfdc9368d06250263a200708da9f80e4048

Meterpreter

d7382e9292d5785730aaadaca5f0505c26ea5b27d55128fc7d69a19ff2e50d5d

Meterpreter

e840b559962b8b36d6096dc7b12a1b05e87310cedf595e2429904f0f5fe164b6

Meterpreter

f9a19835601dc81b94557b0452cbde314a8f856e9d6371b825f39b627dba2949

Meterpreter

fd280b46b65ccc2d32b8889e0ab35155c22c428a7ed4e96b7a3588410ba9f4e8

Meterpreter

+ 5 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:metasploit suricata

Link:

https://tria.ge/reports/220519-yfs7caeafp/

Behaviour

suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

Malware Config

C2 Extraction:

46.41.54.35:110

Unpacked files

SH256 hash:

3312ee2ec44c08dd98d55bfc9284997f9f632a62558d8b708576378ebeca622e

MD5 hash:

add607ff23b2b3a3a577f8c115d422ac

SHA1 hash:

820e1e4adcc6563212793c8e9e65ae3f5e74bf77

Link:

https://www.unpac.me/results/75026e98-8df0-40fc-a5fa-4d30e9c852ff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/3312ee2ec44c08dd98d55bfc9284997f9f632a62558d8b708576378ebeca622e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	detects Reflective DLL injection artifacts

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	metasploit_rev_tcp_64 Create hunting rule
Author:	Javier Rascon

Rule name:	metasploit_rev_tcp_64 Create hunting rule
Author:	Javier Rascon

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/WhichbufferArda/status/1527018197060358148

Cape

https://www.capesandbox.com/analysis/272729/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample