MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7382e9292d5785730aaadaca5f0505c26ea5b27d55128fc7d69a19ff2e50d5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meterpreter


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7382e9292d5785730aaadaca5f0505c26ea5b27d55128fc7d69a19ff2e50d5d
SHA3-384 hash: 6c192a066cb1cdf1706dffced4cd927f4828ebb96820e6307825494216c604a31a1fbf3cfa4336bfb5b0bfc6b4be808a
SHA1 hash: c8ad6f253f9714da1afa6ee73ba86d2c9cf469ed
MD5 hash: 0d38bc5b972ea7a72153b5bd9391f4d8
humanhash: eight-seven-timing-july
File name:d7382e9292d5785730aaadaca5f0505c26ea5b27d55128fc7d69a19ff2e50d5d
Download: download sample
Signature Meterpreter
Create hunting rule
File size:233'472 bytes
First seen:2021-06-24 17:45:27 UTC
Last seen:2021-06-24 18:46:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ec99bfbe2949d8a0e56ebf0cd567ca6f (1 x Meterpreter)
ssdeep 3072:+FWg1OpqrivwKU2VKUSjR4e9NPwYFekCOnO2Pvb7OTDNnt1QLoY46RPfItaMFy3y:+EXqWIycUgZ9NIYUkCKyKohrthg3
Threatray 932 similar samples on MalwareBazaar
TLSH DB347D1573A90CBAEC778235C8534A06E6727C560771D6AF0390432AEF2F7E1A53EB21
Reporter j_dubp
Tags:exe Meterpreter

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lo.ttf
Verdict:
No threats detected
Analysis date:
2021-06-24 00:57:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d83b828c-daf8-444b-bbf5-122a1b472fdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168112/
Detection(s):
SecuriteInfo.com.Trojan.Win64.Shelma.a44b3a0d.25517.7506.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9bda98d6-2038-4699-a2d7-db50ff12e494
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/807670
Signature
Allocates memory in foreign processes
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to check if the process is started with administrator privileges
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses nslookup.exe to query domains
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440080 Sample: 15Ntaf3OSO Startdate: 24/06/2021 Architecture: WINDOWS Score: 80 38 Multi AV Scanner detection for submitted file 2->38 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        signatures5 54 Uses nslookup.exe to query domains 11->54 56 Writes to foreign memory regions 11->56 58 Allocates memory in foreign processes 11->58 60 Queues an APC in another process (thread injection) 11->60 18 nslookup.exe 13 11->18         started        22 rundll32.exe 14->22         started        24 nslookup.exe 5 16->24         started        process6 dnsIp7 34 167.99.116.149, 443, 49699, 49700 DIGITALOCEAN-ASNUS United States 18->34 36 192.168.2.1 unknown unknown 18->36 40 Contains functionality to change the desktop window for a process (likely to hide graphical interactions) 18->40 42 Contains functionality to inject threads in other processes 18->42 44 Contains functionality to inject code into remote processes 18->44 46 Contains functionality to check if the process is started with administrator privileges 18->46 26 conhost.exe 18->26         started        48 Uses nslookup.exe to query domains 22->48 50 Writes to foreign memory regions 22->50 52 Allocates memory in foreign processes 22->52 28 nslookup.exe 5 22->28         started        30 conhost.exe 24->30         started        signatures8 process9 process10 32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7382e9292d5785730aaadaca5f0505c26ea5b27d55128fc7d69a19ff2e50d5d/
Threat name:
Win64.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 08:02:22 UTC
AV detection:
2 of 29 (6.90%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
02efd5f4d8dedabeab8e75f3e49a8fdb05c28dfd39bc1e5c96e8213fe3212e9f
Meterpreter
08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9
Meterpreter
4f4037898d619b3b5f1c9fedd3e3940f46d39a57db2cbf9b4d8238d587fd7168
Meterpreter
593d037e9fd467ebe80cb0ff28d22be2dbc0fdaad4d626ee2ad30707d8ea23da
Meterpreter
60755909e216dc65f11b7b49ae73ad3e08cb1c5e4255916ea195dbd896f3ae73
Meterpreter
89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273
Meterpreter
d5fce47c9f644b0cd9d392a93e30bbfdc9368d06250263a200708da9f80e4048
Meterpreter
e840b559962b8b36d6096dc7b12a1b05e87310cedf595e2429904f0f5fe164b6
Meterpreter
f6d89ff139f4169e8a67332a0fd55b6c9beda0b619b1332ddc07d9a860558bab
Meterpreter
f9a19835601dc81b94557b0452cbde314a8f856e9d6371b825f39b627dba2949
Meterpreter
+ 922 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210624-4wg8ly4ktn/
Behaviour
Suspicious use of WriteProcessMemory
Downloads MZ/PE file
Unpacked files
SH256 hash:
d7382e9292d5785730aaadaca5f0505c26ea5b27d55128fc7d69a19ff2e50d5d
MD5 hash:
0d38bc5b972ea7a72153b5bd9391f4d8
SHA1 hash:
c8ad6f253f9714da1afa6ee73ba86d2c9cf469ed
Link:
https://www.unpac.me/results/a7a30dc7-db8e-45e4-8e7b-5e92b969b780/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7382e9292d5785730aaadaca5f0505c26ea5b27d55128fc7d69a19ff2e50d5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_Meterpreter
Create hunting rule
Author:ditekSHen
Description:Detects Meterpreter payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168112/

Comments