MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 399f0d3ef13f91a2ee84d27d8f2ea6662a77f62447f607122dac5efed13797c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metasploit


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 399f0d3ef13f91a2ee84d27d8f2ea6662a77f62447f607122dac5efed13797c3
SHA3-384 hash: ba03368033a86e650471d4fdd43ffe7dc8cec5df294b4663241451e98025dfca5b0381024b43ca6f97e5a5a8292ea4c7
SHA1 hash: 05c26cd439d145e153856e88a1e079094a83eaae
MD5 hash: cdf5c2142a6d3247ba2debe87a956580
humanhash: item-one-comet-moon
File name:CvNHaf4t.posh
Download: download sample
Signature Metasploit
Create hunting rule
File size:3'247 bytes
First seen:2023-11-10 15:15:22 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 96:4GTtVeqHuSCh1I5QfBZL0HUmAiBrVMHi3p:tbeBaDHUmAiBrVci3p
TLSH T13D61C1932151B8EA414283BF3D8D66FA807FC224954A7444F78C5F59F9DDE233A8D6C0
Reporter pmelson
Tags:Metasploit powershell PowerShellMeterpreterReverseTCPx64 ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.19800.25531.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/654e49323dd412119bf57d4c/reports/c8cd58cc-01e1-4444-9a06-6f5ac9234c3c/overview
Verdict:
Malicious
Labled as:
Powershell.Injector.B.Generic
Link:
https://www.hybrid-analysis.com/sample/399f0d3ef13f91a2ee84d27d8f2ea6662a77f62447f607122dac5efed13797c3
Result
Verdict:
MALICIOUS
Result
Threat name:
Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1340840
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1340840 Sample: CvNHaf4t.posh.ps1 Startdate: 10/11/2023 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus detection for URL or domain 2->28 30 5 other signatures 2->30 7 powershell.exe 24 2->7         started        process3 dnsIp4 22 18.177.53.48, 11440, 49720 AMAZON-02US United States 7->22 18 C:\Users\user\AppData\...\pv12wg22.cmdline, Unicode 7->18 dropped 11 csc.exe 3 7->11         started        14 conhost.exe 7->14         started        file5 process6 file7 20 C:\Users\user\AppData\Local\...\pv12wg22.dll, PE32 11->20 dropped 16 cvtres.exe 1 11->16         started        process8
Score:
99%
Verdict:
Malware
File Type:
ASCII
Link:
https://malprob.io/report/399f0d3ef13f91a2ee84d27d8f2ea6662a77f62447f607122dac5efed13797c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/399f0d3ef13f91a2ee84d27d8f2ea6662a77f62447f607122dac5efed13797c3/
Threat name:
Script-PowerShell.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2023-11-10 15:16:04 UTC
File Type:
Text (PowerShell)
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgpq2pxrh6i2f3ue2j6y6lvgmyvhp5rei73aoernvrpp5ujxs7bq._file
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor trojan
Link:
https://tria.ge/reports/231110-xn7t2aeb62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
MetaSploit
Malware Config
C2 Extraction:
18.177.53.48:11440
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/399f0d3ef13f91a2ee84d27d8f2ea6662a77f62447f607122dac5efed13797c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Metasploit

PowerShell (PS) ps1 399f0d3ef13f91a2ee84d27d8f2ea6662a77f62447f607122dac5efed13797c3

(this sample)

  
Link
https://www.virustotal.com/gui/file/399f0d3ef13f91a2ee84d27d8f2ea6662a77f62447f607122dac5efed13797c3/detection
  
Delivery method
Distributed via web download

Comments