MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60d3c01d262319d5b87a9fdf1d05c840429e487def482ca581c6f4bf397efc8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meterpreter


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60d3c01d262319d5b87a9fdf1d05c840429e487def482ca581c6f4bf397efc8f
SHA3-384 hash: 5c58926860f9f893f464be9d5c9159431a7b2402eeed84aa5ee2d41ad28c63547c7f82c5771da0befd794f314d2ab397
SHA1 hash: 43ce420aa1fd48c49eff9769caee2913ad87a10d
MD5 hash: f125a54fa3441360f0ce7ca542402c1d
humanhash: oregon-batman-sink-east
File name:payload_x64_57119_staged_tcp.exe
Download: download sample
Signature Meterpreter
Create hunting rule
File size:501'248 bytes
First seen:2022-01-21 11:23:28 UTC
Last seen:2022-01-21 12:32:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f30a089187e04ce234313cfb9ab5b025 (1 x Meterpreter)
ssdeep 12288:TPOggS8iIl+UVSjGxIZGqvubeIcIDHwmvANVhINUgy:TPOggSyQKyG4GRb3cexAjyUgy
Threatray 2'159 similar samples on MalwareBazaar
TLSH T11FB4021B77E435F4E0278D3988619B15C7B2B8361A76CF1F0354A7452F27A908E3AFA1
Reporter JAMESWT_WT
Tags:exe Meterpreter

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Meterpreter
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221441/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38528284.1533.9544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07130034-2b07-45b8-9a4b-8fa03f0c24c4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/925175
Signature
Contains functionality to inject threads in other processes
Found evasive API chain (may execute only at specific dates)
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557653 Sample: payload_x64_57119_staged_tcp.exe Startdate: 21/01/2022 Architecture: WINDOWS Score: 60 32 Multi AV Scanner detection for submitted file 2->32 7 payload_x64_57119_staged_tcp.exe 2->7         started        process3 dnsIp4 30 193.201.9.212, 49755, 49756, 49757 WITBE-ASFR Germany 7->30 34 Found evasive API chain (may execute only at specific dates) 7->34 36 Contains functionality to inject threads in other processes 7->36 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        signatures5 process6 signatures7 38 Uses ping.exe to check the status of other devices and networks 11->38 18 conhost.exe 11->18         started        20 PING.EXE 1 11->20         started        22 conhost.exe 14->22         started        24 PING.EXE 1 14->24         started        26 conhost.exe 16->26         started        28 PING.EXE 1 16->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60d3c01d262319d5b87a9fdf1d05c840429e487def482ca581c6f4bf397efc8f/
Threat name:
Win64.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 11:32:42 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
24 of 43 (55.81%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
214a74a6df6269aca1279a2a0e59ac4f2d3355ed0aa7de8ffa502f2502df608b
Meterpreter
2e30e80613b34e4e0f206f0197db7f23f9d3a1da73efee6a6ff98081a56316fd
Meterpreter
79591b44955812c9f6c9f6d168a927c7af1bea5928d22c1d210eddbbcd93578e
Meterpreter
950ae733089e9761c22fcd9b1f5c1a45357fb744667298070da464afaa560905
Meterpreter
a06010d09b93b8cf46c397a30a15e7f4a163fddd7eaa18dc0eeb202b9f2560a5
Meterpreter
ac64301a43403c83264c5c32676a99521304e842fec99a66941a3313520f4e07
Meterpreter
b64b3219e447c13440ca2f800705d25b03f1ce27e214edad3cb240a34b36862b
Meterpreter
b75c337a0fb7eb49ec34d6d313a612e93dc4180a8bf25f99fd7b10ea1077e8e1
Meterpreter
b968be42546794effa6900666e9e6ad09c6e211d192571a1bed308c92222c227
Meterpreter
c765e040e1facf4b651d4684a4fdb3fd04c0d01e506bfb0dce454104f2c43f8c
Meterpreter
+ 2'149 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220121-nhqtwscec6/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
60d3c01d262319d5b87a9fdf1d05c840429e487def482ca581c6f4bf397efc8f
MD5 hash:
f125a54fa3441360f0ce7ca542402c1d
SHA1 hash:
43ce420aa1fd48c49eff9769caee2913ad87a10d
Link:
https://www.unpac.me/results/2582d011-1053-4813-b5c2-333f9b1afd8a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60d3c01d262319d5b87a9fdf1d05c840429e487def482ca581c6f4bf397efc8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Lazarus_Loader_Dec_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect loader used by Lazarus group in december 2020
Reference:Internal Research
Rule name:MALWARE_Win_Meterpreter
Create hunting rule
Author:ditekSHen
Description:Detects Meterpreter payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Meterpreter

Executable exe 60d3c01d262319d5b87a9fdf1d05c840429e487def482ca581c6f4bf397efc8f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/221441/
  
URLhaus
https://urlhaus.abuse.ch/url/1995483/
  
Delivery method
Distributed via web download

Comments