MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Meterpreter

Vendor detections: 11

Intelligence 11 IOCs YARA 24 File information Comments

SHA256 hash:	3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9
SHA3-384 hash:	a91403073707ab82aba634a68df2f2288fe5a0b2612fa22a0506194d2e56b380d23d9f24cc0f234ea12330987d2d557f
SHA1 hash:	3efcd68e91751414a19f3be0856265081322097b
MD5 hash:	16730fc6f05f588002bd420ca29756ce
humanhash:	six-item-spring-bravo
File name:	loader_v4.exe
Download:	download sample
Signature	Meterpreter Create hunting rule
File size:	1'137'664 bytes
First seen:	2026-03-19 17:56:50 UTC
Last seen:	2026-03-19 18:33:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4dc5d829ddb1ea7dc25b3d1eebeb7d63 (1 x Meterpreter)
ssdeep	12288:U43qbFY0vg262DPeVMMef0atjQj55jP64pxCK9yH0XWVU/lyYa5eI2ZuCF2H9d:U4+62DPeyHj14pxFBWSyYagJZuCM9
Threatray	7 similar samples on MalwareBazaar
TLSH	T18E353843A69885EAC85EC03C87579632BA33B89D4720B6EB27D45B343E67F406F0D719
TrID	45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 18.0% (.EXE) Win64 Executable (generic) (6522/11/2) 13.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.6% (.ICL) Windows Icons Library (generic) (2059/9) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	1ZRR4H
Tags:	exe Meterpreter

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

loader_v4.exe

Verdict:

No threats detected

Analysis date:

2026-03-19 17:58:20 UTC

Tags:

amsi-bypass

Link:

https://app.any.run/tasks/e71ef737-c61a-4174-8f9b-3af8b5a41fa0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.67143583.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69bc391188c80c01586c22ed

Tags:

shellcode emotet hype

Result

Verdict:

Clean

Maliciousness:

Behaviour

Connection attempt

Creating a window

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug base64 evasive packed

Link:

https://www.filescan.io/uploads/69bc3900493cb7d62d07147c/reports/6e9cb0ba-672b-4bc8-b9d6-83f35a719846/overview

Verdict:

Malicious

Labled as:

Win64/Agent_AGeneric.KUB trojan

Link:

https://www.hybrid-analysis.com/sample/3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9

Verdict:

Malicious

File Type:

exe x64

Detections:

PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.wbqi Backdoor.Androm.HTTP.Download Backdoor.Agent.HTTP.C&C

Link:

https://opentip.kaspersky.com/3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12d83f5b-a1ab-4580-9f60-88ee31ea045e

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9/

Verdict:

Malicious

Threat:

Backdoor.Win32.Androm

Link:

https://tip.neiki.dev/file/3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-03-17 18:52:48 UTC

File Type:

PE+ (Exe)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gqcltyud7irpqfaikx2sk6ct3io4cy4a5c5s7ekatu5hcruxqtmq._file

Verdict:

malicious

Label(s):

metasploit

Meterpreter

6290ff8d7a9a1553d55a188498d97aa8de62524d65dabc1bccd957bb96cc0622

Meterpreter

8099e85c4aa05f50ff299a130dc26a67b45aed519668e8b1ee1692e0034196c2

Meterpreter

error

Meterpreter

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260319-wjrftac13t/

Unpacked files

SH256 hash:

3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9

MD5 hash:

16730fc6f05f588002bd420ca29756ce

SHA1 hash:

3efcd68e91751414a19f3be0856265081322097b

Link:

https://www.unpac.me/results/c6596bfd-3ba1-498c-9a7c-0adc80468f41/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3404b9e283fa22f8140855f5257853da1dc16380e8bb2f91409d3a71469784d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_Meterpreter Create hunting rule
Author:	ditekSHen
Description:	Detects Meterpreter payload

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_Win_ETW_Bypass_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Windows ETW Bypass Detection Rule - 2025
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_Metasploit_0cc81460 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Metasploit_38b8ceec Create hunting rule
Description:	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/58210/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample