MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 571de8219bf86b49ea252c45a0b42e3263af6be74a710ef496b5418ea990fe6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Meterpreter

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 4 File information Comments

SHA256 hash:	571de8219bf86b49ea252c45a0b42e3263af6be74a710ef496b5418ea990fe6e
SHA3-384 hash:	59f945e86e17c3983ffa2eeff38be777ff86aff0caa8c2753784881e7123309f2eeef522c94d3b914fa2773f9537c615
SHA1 hash:	4feb8bb6a4bb328e6aa3da4dceff752c87e3e1be
MD5 hash:	5f6d69736d3375c7598fe277f54e61c9
humanhash:	seven-pennsylvania-maine-finch
File name:	5f6d69736d3375c7598fe277f54e61c9.exe
Download:	download sample
Signature	Meterpreter Create hunting rule
File size:	73'728 bytes
First seen:	2022-09-06 01:30:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	46be82ecd96300ec7ce610dc0f6e3bf0 (2 x Meterpreter)
ssdeep	768:QKvHz44fLffEdN3Jqq2QA/qB4z2m77sYcA76hkJt/XEiCKPlUlWPe1t5uNC/hpH5:vvs4DfCNUmkv77lw/clUkPnihrqI
Threatray	38 similar samples on MalwareBazaar
TLSH	T1F3730856F2D368F8C167C17486E26732F931BC125134AF6D87A4FB312E16E60AE5E720
TrID	43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 27.6% (.EXE) Win64 Executable (generic) (10523/12/4) 13.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) OS/2 Executable (generic) (2029/13) 5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	exe Meterpreter

abuse_ch

Meterpreter C2:
119.12.171.32:5566

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
119.12.171.32:5566	https://threatfox.abuse.ch/ioc/848037/

Intelligence

File Origin

# of uploads :

# of downloads :

371

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5f6d69736d3375c7598fe277f54e61c9.exe

Verdict:

No threats detected

Analysis date:

2022-09-06 01:32:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/35e6e3be-64ce-49b1-8f98-6a24f40e625b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308011/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/36732/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug meterpreter rozena shelma swrort

Link:

https://www.filescan.io/uploads/6316a2d88e11a57db57b27eb/reports/06fb76f0-9fd7-4b4f-9b50-627e88384159/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Meterpreter

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bd26dc5c-baa0-47f2-ae02-6996b2d968cf

Result

Threat name:

Meterpreter

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1065334

Signature

Contains functionality to change the desktop window for a process (likely to hide graphical interactions)

Contains functionality to check if the process is started with administrator privileges

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found API chain indicative of debugger detection

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Meterpreter

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/571de8219bf86b49ea252c45a0b42e3263af6be74a710ef496b5418ea990fe6e/

Threat name:

Win64.Backdoor.Meterpreter

Status:

Malicious

First seen:

2022-09-01 13:36:00 UTC

File Type:

PE+ (Exe)

AV detection:

21 of 41 (51.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k4o6qim37bvut2rffrc2bnbogjr2627hjjyq55ewwvay5kmq7zxa._file

Verdict:

malicious

Meterpreter

08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9

Meterpreter

3312ee2ec44c08dd98d55bfc9284997f9f632a62558d8b708576378ebeca622e

Meterpreter

5f3916cde8f3852fc370be7442e668f31a0d676f2ae912f88042481f972cc26a

Meterpreter

89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273

Meterpreter

a3b14096156684a6aed44851c7c9d1fbe64e7926cbdf57317f083f0ca1ae4d06

Meterpreter

ad46afba7ae9c74ce451a76ea35d56e8e419bc136b163c5ad91ee73066f01f59

Meterpreter

d7382e9292d5785730aaadaca5f0505c26ea5b27d55128fc7d69a19ff2e50d5d

Meterpreter

e840b559962b8b36d6096dc7b12a1b05e87310cedf595e2429904f0f5fe164b6

Meterpreter

+ 28 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220906-bxc55adaa3/

Unpacked files

SH256 hash:

571de8219bf86b49ea252c45a0b42e3263af6be74a710ef496b5418ea990fe6e

MD5 hash:

5f6d69736d3375c7598fe277f54e61c9

SHA1 hash:

4feb8bb6a4bb328e6aa3da4dceff752c87e3e1be

Link:

https://www.unpac.me/results/6ba38e0e-e909-4d8d-92f8-db888d6f51b5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Pay2Key

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/571de8219bf86b49ea252c45a0b42e3263af6be74a710ef496b5418ea990fe6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Lazarus_Loader_Dec_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect loader used by Lazarus group in december 2020
Reference:	Internal Research

Rule name:	MALWARE_Win_Meterpreter Create hunting rule
Author:	ditekSHen
Description:	Detects Meterpreter payload

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308011/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample