MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1b2a6f037998a4f5d822bdb2e791e8856d612f868b8d3d4b8b80686b5906a97a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Meterpreter
Vendor detections: 17
| SHA256 hash: | 1b2a6f037998a4f5d822bdb2e791e8856d612f868b8d3d4b8b80686b5906a97a |
|---|---|
| SHA3-384 hash: | 70d8a86fb9eedff7a94caf3e10ca912399e472a35c8d62966f2be64f8f87b3c9596f291ad2031a7d6d6626a322f2095b |
| SHA1 hash: | c206485d3d0b64d8a3f1587112ea065e2261657b |
| MD5 hash: | da3ba1f5cc565f5fafeb2a46240e09b9 |
| humanhash: | victor-video-stream-mars |
| File name: | AnyDeskvip.exe |
| Download: | download sample |
| Signature | Meterpreter |
| File size: | 90'186 bytes |
| First seen: | 2025-08-30 14:45:26 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | fb6bd8ebf4e6421b53c55dfe7d3c43af (6 x Meterpreter) |
| ssdeep | 1536:I7FtXMyNrIjlzFNlrRL+X/gxVqirTMb+KR0Nc8QslaCq3tD:StJrIJTlr0vgxVBrTe0Nc8QslaftD |
| TLSH | T1BB939D05A7C08031C153123927A56AB5A9F1FEF62632814A7DCCFEBBD7F39606516F82 |
| TrID | 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10522/11/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1) |
| Magika | pebin |
| Reporter |  abuse_ch |
| Tags: | exe Meterpreter |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 220.85.206.156:8999 | https://threatfox.abuse.ch/ioc/1578028/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
68
Origin country :
NLVendor Threat Intelligence
Malware family:
meterpreter
ID:
1
File name:
AnyDeskvip.exe
Verdict:
Malicious activity
Analysis date:
2025-08-30 14:47:34 UTC
Tags:
meterpreter backdoor payload metasploit mimikatz tools
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rozena
Verdict:
Malicious
Score:
99.9%
Tags:
cobaltstrike metasploit cobalt rozena
Result
Verdict:
Malware
Maliciousness:
Behaviour
Connection attempt
Sending a custom TCP request
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Creating a file
Creating a process from a recently created file
Creating a window
Forced system process termination
Сreating synchronization primitives
Sending an HTTP GET request
Verdict:
Malicious
Labled as:
Trojan.CryptZ.Marte.1
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-30T13:39:00Z UTC
Last seen:
2025-08-30T13:39:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Reflo.sb Trojan.Win32.Rekvex.sb HEUR:Trojan.Win32.Shella.gen HEUR:Trojan.Win32.Generic Backdoor.Win64.Meterpreter.c Trojan.Win64.Shlem.sb Trojan.Win64.Shelm.sb Trojan.Win32.Zenpak.sb Trojan.Win32.Yakes Trojan.Win32.CobaltStrike.gen Trojan.Win32.Shelm.sb Trojan.Win32.Shelm.c Trojan.Win32.Agent.sb HEUR:Trojan.Win32.Metla.a
Gathering data
Result
Threat name:
Bazar Loader, Metasploit, Meterpreter
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject threads in other processes
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Bazar Loader
Yara detected Metasploit Payload
Yara detected Meterpreter
Behaviour
Behavior Graph:
Score:
98%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Verdict:
Malicious
Threat:
Family.METASPLOIT
Threat name:
Win32.Trojan.CryptZMarte
Status:
Malicious
First seen:
2025-08-30 14:46:33 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
32 of 36 (88.89%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
metasploit
Score:
10/10
Tags:
family:metasploit backdoor defense_evasion discovery execution trojan
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
MetaSploit
Metasploit family
Malware Config
C2 Extraction:
220.85.206.156:8999
Verdict:
Malicious
Tags:
red_team_tool cobalt_strike metasploit Win.Trojan.Swrort-5710536-0 Metasploit
YARA:
CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x Windows_Trojan_Metasploit_4a1c4da8 Cobalt_functions
Unpacked files
SH256 hash:
1b2a6f037998a4f5d822bdb2e791e8856d612f868b8d3d4b8b80686b5906a97a
MD5 hash:
da3ba1f5cc565f5fafeb2a46240e09b9
SHA1 hash:
c206485d3d0b64d8a3f1587112ea065e2261657b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x |
|---|---|
| Author: | gssincla@google.com |
| Description: | Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x |
| Reference: | https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse |
| Rule name: | CobaltStrike__Resources_Reverse_Bin_v2_5_through_v4_x |
|---|---|
| Author: | gssincla@google.com |
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | lsadump |
|---|---|
| Author: | Benjamin DELPY (gentilkiwi) |
| Description: | LSA dump programe (bootkey/syskey) – pwdump and others |
| Rule name: | MALWARE_Win_Meterpreter |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Meterpreter payload |
| Rule name: | metasploit_rev_tcp_32 |
|---|---|
| Author: | Javier Rascon |
| Rule name: | meth_peb_parsing |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | Rozena |
|---|
| Rule name: | SUSP_Imphash_Mar23_2 |
|---|---|
| Author: | Arnim Rupp (https://github.com/ruppde) |
| Description: | Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal) |
| Reference: | Internal Research |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Windows_Trojan_Metasploit_0cc81460 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_Metasploit_38b8ceec |
|---|---|
| Description: | Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). |
| Rule name: | Windows_Trojan_Metasploit_47f5d54a |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_Metasploit_4a1c4da8 |
|---|---|
| Author: | Elastic Security |
| Description: | Identifies Metasploit 64 bit reverse tcp shellcode. |
| Rule name: | Windows_Trojan_Metasploit_7bc0f998 |
|---|---|
| Description: | Identifies the API address lookup function leverage by metasploit shellcode |
| Rule name: | Windows_Trojan_Metasploit_c9773203 |
|---|---|
| Description: | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. |
| Reference: | https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.