MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a93cdc65705c26823e6224e067ecf833f2f81a6d61e2ad415e9aac4f706eb16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meterpreter


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a93cdc65705c26823e6224e067ecf833f2f81a6d61e2ad415e9aac4f706eb16
SHA3-384 hash: b4ed3a816cb516de1486391f3742f76fcef9e3c931e5b300e75157ab630cfd1aec07d5051ca646d34c966a1e7464d377
SHA1 hash: 61953b5ca59430bb5bab9d8a8a9e4ad0445f2ed0
MD5 hash: 4756f8b68009c81611c8ff9866efafe2
humanhash: vegan-nitrogen-alabama-north
File name:4756f8b68009c81611c8ff9866efafe2.exe
Download: download sample
Signature Meterpreter
Create hunting rule
File size:7'168 bytes
First seen:2025-02-09 19:55:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4c6fff030479aa3b12625be67bf4914 (122 x Meterpreter, 16 x Metasploit, 4 x CobaltStrike)
ssdeep 24:eFGStrJ9u0/6qH5nZdkBQAVRYLwKtRq4eNDMSCvOXpmB:is0vpkBQ5LwKZSD9C2kB
TLSH T159E1752337589DB6D87C063D46E3BCA7A25C4E383F3B47B599280317396312865B5A44
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Meterpreter


Avatar
abuse_ch
Meterpreter C2:
212.224.88.39:4466

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.224.88.39:4466 https://threatfox.abuse.ch/ioc/1407991/

Intelligence

File Origin
# of uploads :
1
# of downloads :
672
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
meterpreter
Create hunting rule
ID:
1
File name:
4756f8b68009c81611c8ff9866efafe2.exe
Verdict:
Malicious activity
Analysis date:
2025-02-09 20:00:09 UTC
Tags:
meterpreter backdoor payload metasploit shellcode
Link:
https://app.any.run/tasks/683ca39f-ecb1-48af-96f9-c9590bceb3da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Metasploit-10022275-0
Create hunting rule

SecuriteInfo.com.Crypt_r.AKH.14258.12458.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a908bef667f46cd182bab0
Tags:
metasploit emotet rozena
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Trojan.Metasploit
Link:
https://www.hybrid-analysis.com/sample/8a93cdc65705c26823e6224e067ecf833f2f81a6d61e2ad415e9aac4f706eb16
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afe96b72-a9fa-453b-854f-f70a75205b11
Result
Threat name:
Metasploit, Meterpreter
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1610626
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to check if the process is started with administrator privileges
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Metasploit Payload
Yara detected Meterpreter
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a93cdc65705c26823e6224e067ecf833f2f81a6d61e2ad415e9aac4f706eb16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a93cdc65705c26823e6224e067ecf833f2f81a6d61e2ad415e9aac4f706eb16/
Threat name:
Win64.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2025-02-07 10:30:51 UTC
File Type:
PE+ (Exe)
AV detection:
34 of 38 (89.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkj43rsxaxbgqi7gejham7wpqm7s7ang2ypcvvav5gvmj5yg5mla._file
Verdict:
malicious
Label(s):
metasploit
Create hunting rule
Similar samples:
error
Meterpreter
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor discovery trojan
Link:
https://tria.ge/reports/250209-ynqq7a1lcy/
Behaviour
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Downloads MZ/PE file
MetaSploit
Metasploit family
Malware Config
C2 Extraction:
212.224.88.39:4466
Verdict:
Malicious
Tags:
trojan meterpreter red_team_tool cobalt_strike metasploit Win.Malware.Metasploit-10022275-0
YARA:
MALWARE_Win_MeterpreterStager MAL_Malware_Imphash_Mar23_1 Stairwell_CobaltStrike_Stager_API_Hashing Windows_Trojan_Metasploit_c9773203 Windows_Trojan_Metasploit_91bc5d7d Cobalt_functions
Link:
https://app.threat.zone/submission/3481dc0d-3cb4-48ed-addb-a327ad6e798b
Unpacked files
SH256 hash:
8a93cdc65705c26823e6224e067ecf833f2f81a6d61e2ad415e9aac4f706eb16
MD5 hash:
4756f8b68009c81611c8ff9866efafe2
SHA1 hash:
61953b5ca59430bb5bab9d8a8a9e4ad0445f2ed0
Link:
https://www.unpac.me/results/5d301af5-b7a7-4f94-a293-8060cd0b82ad/
Malware family:
Metasploit
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a93cdc65705/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Metasploit
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/8a93cdc65705c26823e6224e067ecf833f2f81a6d61e2ad415e9aac4f706eb16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Lazarus_Loader_Dec_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect loader used by Lazarus group in december 2020
Reference:Internal Research
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:lsadump
Create hunting rule
Author:Benjamin DELPY (gentilkiwi)
Description:LSA dump programe (bootkey/syskey) – pwdump and others
Rule name:MALWARE_Win_Meterpreter
Create hunting rule
Author:ditekSHen
Description:Detects Meterpreter payload
Rule name:MALWARE_Win_MeterpreterStager
Create hunting rule
Author:ditekSHen
Description:Detects Meterpreter stager payload
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:metasploit_rev_tcp_64
Create hunting rule
Author:Javier Rascon
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Metasploit_38b8ceec
Create hunting rule
Description:Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).
Rule name:Windows_Trojan_Metasploit_47f5d54a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Metasploit_7bc0f998
Create hunting rule
Description:Identifies the API address lookup function leverage by metasploit shellcode
Rule name:Windows_Trojan_Metasploit_91bc5d7d
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Metasploit_c9773203
Create hunting rule
Description:Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm
Rule name:Windows_Trojan_Metasploit_c9773203
Create hunting rule
Author:Elastic Security
Description:Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments