MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Meterpreter

Vendor detections: 13

Intelligence 13 IOCs YARA 12 File information Comments

SHA256 hash:	d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe
SHA3-384 hash:	01e742722f37a9f36a4dda10866681d85095f99a40abc4d514d2d5b71599632a93f005b1f076cb9f83aab117457232be
SHA1 hash:	e64cbcbded20b161ed8f5d772f77863ff1f4799f
MD5 hash:	6df779cfa4ae3b0abcb5d0bc48432fa9
humanhash:	mountain-butter-india-eleven
File name:	24e7279203bc2d7aba18f3a5ba88baaf6836e8a5a5e6fd3ce9d16679
Download:	download sample
Signature	Meterpreter Create hunting rule
File size:	176'073 bytes
First seen:	2023-10-14 01:35:41 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	e8d1b179f0e22242443ea10dc9b8232f (2 x Meterpreter)
ssdeep	3072:RR6C45ds/1sAUsMGbCpcAQbzFkhgjGrRzQYN:b6F6dMiAfgjc2YN
Threatray	44 similar samples on MalwareBazaar
TLSH	T16A049D12B6908071D5BB527905BBAB121B7D7C310BB6CE5BABA44C8E0E741C0F73A767
Reporter	r3dbU7z
Tags:	backdoor dll exe Meterpreter

Intelligence

File Origin

# of uploads :

# of downloads :

368

Origin country :

Vendor Threat Intelligence

Detection:

Meterpreter

Link:

https://www.capesandbox.com/analysis/454244/

Detection(s):

Win.Exploit.Meterpreter-9777172-0

Win.Exploit.Meterpreter-10009254-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypto greyware overlay

Link:

https://www.filescan.io/uploads/6529f0844feff9bfde55e438/reports/54fe97b6-c0ef-466e-a354-6725b8baff08/overview

Verdict:

Malicious

Labled as:

ShellCode.Marte.2.Generic

Link:

https://www.hybrid-analysis.com/sample/d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Meterpreter

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/af7ead5d-e05e-4352-8420-177d11eb8c17

Result

Threat name:

Meterpreter

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1325559

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject threads in other processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Meterpreter

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe/

Threat name:

Win32.Backdoor.Meterpreter

Status:

Malicious

First seen:

2023-10-14 01:36:06 UTC

File Type:

PE (Dll)

AV detection:

21 of 23 (91.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3eerjdszmoyfjp4fvwbmxuqdckyrpjhoupe7me7ym2uuhduzud7a._file

Verdict:

malicious

Meterpreter

332f53344cec91ce2c8ed1e2e792e953002fa25ecb8fcd952f512ab0bc367dea

Meterpreter

7beb0930c77897b1ff9250bd60a7b2e72738942caa53a5ebee1524032c83a940

Meterpreter

848de91c16469e9f09e284adbbbf8cf317db916b414240c6bd46364a8f4c2c84

Meterpreter

e840b559962b8b36d6096dc7b12a1b05e87310cedf595e2429904f0f5fe164b6

Meterpreter

f199cc703c62cb31955634bf10a1285c81fb95f3bba152130cb3cb2e976aef1f

Meterpreter

f1cc6681e7fd5fcd23a3464b08d9128f15b0acb606754ab0776683d649fb50a8

Meterpreter

f790bf11ea244e4397b152ca789091b3c5c442ea3c27ce0c18d3ec4c3d8ea011

Meterpreter

+ 34 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231014-bz81ksaa7s/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe

MD5 hash:

6df779cfa4ae3b0abcb5d0bc48432fa9

SHA1 hash:

e64cbcbded20b161ed8f5d772f77863ff1f4799f

Link:

https://www.unpac.me/results/a668a8c1-92b0-46ba-8d13-c9023dae552d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_Meterpreter Create hunting rule
Author:	ditekSHen
Description:	Detects Meterpreter payload

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	Windows_Trojan_Metasploit_38b8ceec Create hunting rule
Author:	Elastic Security
Description:	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).

Rule name:	Windows_Trojan_Metasploit_38b8ceec Create hunting rule
Description:	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Author:	Elastic Security
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Author:	Elastic Security
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Meterpreter

DLL dll d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/454244/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample