MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c7477a9e188ca29be9a1fe3b6cb4e40140d079cc3d9a3cdd6dccf284db00d76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meterpreter


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c7477a9e188ca29be9a1fe3b6cb4e40140d079cc3d9a3cdd6dccf284db00d76
SHA3-384 hash: 08988eb0ce4e0acef32af1a42a096a08334feaee4e6f28cc70d19e5fd13c59a828d589054f783c4eac5c29e0f5d1c5f6
SHA1 hash: 609160c16d1a643c1d11100dc93cf129540678a3
MD5 hash: 71ba42309dc8ddb031cf0863755b1049
humanhash: london-papa-winner-johnny
File name:OneDrive.exe
Download: download sample
Signature Meterpreter
Create hunting rule
File size:79'872 bytes
First seen:2021-06-01 08:46:08 UTC
Last seen:2021-06-01 09:42:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fd357b6b621ece14d65cd7cfeb9b428a (1 x Meterpreter)
ssdeep 1536:sKyxMPUCRiALX/mrwUUcOBNPLFU70q2F0jJVfZ/1MsWwtcd6zecaesueR:sKlUCQW/mr5IPLFU70q2aLfd1386zec+
Threatray 33 similar samples on MalwareBazaar
TLSH 29735B07B5C19872E872193248A4D9A0D96FF9211E60DE7B3395067E4F302D19E36EBB
Reporter Anonymous
Tags:exe Meterpreter

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OneDrive.exe
Verdict:
Malicious activity
Analysis date:
2021-06-01 08:47:58 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/665b2b3f-dd31-42e1-9266-6611f83f467e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163756/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.27675.988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Sending a UDP request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a818dccf-1d0a-4f38-8af3-aa588616cba8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/795125
Signature
Contains functionality to hide the console window
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c7477a9e188ca29be9a1fe3b6cb4e40140d079cc3d9a3cdd6dccf284db00d76/
Verdict:
unknown
Similar samples:
0c7591403c6672c67cd0fbb1a7d4db34a224e5388a81a82a725811999bc49b4e
Meterpreter
0f59d4e8970f5f97d8a033783d8b9cdb8fe9a30ba4462366b254f6deb69696dd
Meterpreter
25fa4f445a522467a2ae93388907c9d7ef7e14a68bc3a0db7ae29198d3abfe06
Meterpreter
8291db6ed7f2be2e014d6ad586a2fa2021c6f59334416e1042ed88edea137d0b
Meterpreter
9221140e9f7e9baec64ff552c30c6bcda984435359863987ab93644f5c9fe344
Meterpreter
ae0a99c5cc44699f19c5967df89e034876b214da707275a33bcf7298697ac184
Meterpreter
b75b694bdd2b87abd5edb0012cd46d25d62962caf00c60b59b6987d3956e3a73
Meterpreter
c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d
Meterpreter
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
Meterpreter
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
Meterpreter
+ 23 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:metasploit backdoor persistence trojan
Link:
https://tria.ge/reports/210601-4nshn19mja/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Cobaltstrike
MetaSploit
Malware Config
C2 Extraction:
103.231.91.59:16563
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c7477a9e188ca29be9a1fe3b6cb4e40140d079cc3d9a3cdd6dccf284db00d76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_Meterpreter
Create hunting rule
Author:ditekSHen
Description:Detects Meterpreter payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163756/

Comments