MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 914a13f86d053e8296256aa5b710e50360b3816ad216d6a9b86252ecc2dd0dd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Meterpreter
Vendor detections: 14
| SHA256 hash: | 914a13f86d053e8296256aa5b710e50360b3816ad216d6a9b86252ecc2dd0dd0 |
|---|---|
| SHA3-384 hash: | c81aed87a161b631db173ea0bab5052c9f2dfa1a472dea0170ed7820f102ee64a0e6ba37fe90e76fc367667170ffd540 |
| SHA1 hash: | b5f6d32809e6f7161a789f9bc7fd3831ab7e9b11 |
| MD5 hash: | 1caf1220bd0487408ae78dfbc87a97a4 |
| humanhash: | two-eleven-march-oranges |
| File name: | 1caf1220bd0487408ae78dfbc87a97a4.exe |
| Download: | download sample |
| Signature | Meterpreter |
| File size: | 7'168 bytes |
| First seen: | 2024-04-23 05:21:14 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | b4c6fff030479aa3b12625be67bf4914 (122 x Meterpreter, 16 x Metasploit, 4 x CobaltStrike) |
| ssdeep | 24:eFGStrJ9u0/6sUnZdkBQAVoac+HKLqCIeNDMSCvOXpmB:is0h4kBQVR+HrSD9C2kB |
| TLSH | T180E142133B144EB6D87D193856E2FCABB1488E293B2B42758D28031B392222879F5918 |
| TrID | 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1) |
| Reporter |  abuse_ch |
| Tags: | exe Meterpreter |
Intelligence
File Origin
# of uploads :
1
# of downloads :
342
Origin country :
NLVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
914a13f86d053e8296256aa5b710e50360b3816ad216d6a9b86252ecc2dd0dd0.exe
Verdict:
Malicious activity
Analysis date:
2024-04-23 05:33:36 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Behaviour
Connection attempt
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
cobalt metasploit meterpreter packed shelma xpack
Verdict:
Malicious
Labled as:
Trojan.Metasploit
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
Metasploit
Detection:
malicious
Classification:
troj
Score:
96 / 100
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Malware Callback Communication
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Score:
98%
Verdict:
Malware
File Type:
PE
Threat name:
Win64.Backdoor.Meterpreter
Status:
Malicious
First seen:
2024-04-20 12:46:57 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Result
Malware family:
metasploit
Score:
10/10
Tags:
family:metasploit backdoor trojan
Behaviour
MetaSploit
Malware Config
C2 Extraction:
103.95.97.149:4444
Unpacked files
SH256 hash:
914a13f86d053e8296256aa5b710e50360b3816ad216d6a9b86252ecc2dd0dd0
MD5 hash:
1caf1220bd0487408ae78dfbc87a97a4
SHA1 hash:
b5f6d32809e6f7161a789f9bc7fd3831ab7e9b11
Detections:
MAL_Malware_Imphash_Mar23_1
MALWARE_Win_MeterpreterStager
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | APT_Lazarus_Loader_Dec_2020_1 |
|---|---|
| Author: | Arkbird_SOLG |
| Description: | Detect loader used by Lazarus group in december 2020 |
| Reference: | Internal Research |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | lsadump |
|---|---|
| Author: | Benjamin DELPY (gentilkiwi) |
| Description: | LSA dump programe (bootkey/syskey) – pwdump and others |
| Rule name: | maldoc_getEIP_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | MALWARE_Win_Meterpreter |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Meterpreter payload |
| Rule name: | MALWARE_Win_MeterpreterStager |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Meterpreter stager payload |
| Rule name: | MAL_Malware_Imphash_Mar23_1 |
|---|---|
| Author: | Arnim Rupp |
| Description: | Detects malware by known bad imphash or rich_pe_header_hash |
| Reference: | https://yaraify.abuse.ch/statistics/ |
| Rule name: | metasploit_rev_tcp_64 |
|---|---|
| Author: | Javier Rascon |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | meth_peb_parsing |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Windows_Trojan_Metasploit_38b8ceec |
|---|---|
| Description: | Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). |
| Rule name: | Windows_Trojan_Metasploit_47f5d54a |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_Metasploit_7bc0f998 |
|---|---|
| Description: | Identifies the API address lookup function leverage by metasploit shellcode |
| Rule name: | Windows_Trojan_Metasploit_7bc0f998 |
|---|---|
| Author: | Elastic Security |
| Description: | Identifies the API address lookup function leverage by metasploit shellcode |
| Rule name: | Windows_Trojan_Metasploit_91bc5d7d |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_Metasploit_c9773203 |
|---|---|
| Description: | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. |
| Reference: | https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm |
| Rule name: | Windows_Trojan_Metasploit_c9773203 |
|---|---|
| Author: | Elastic Security |
| Description: | Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. |
| Reference: | https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.