MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b866fef4739496f6d000c5ac95d774d0515941f4c93f60d3bade20a7a5e0fe14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Meterpreter

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	b866fef4739496f6d000c5ac95d774d0515941f4c93f60d3bade20a7a5e0fe14
SHA3-384 hash:	022ed60cc3c0f49bb316d1bd205d7ea75e71bfbaca90bd8b230d3ea039e2bb41485fc30bd12d3f7a36bba46bf83966de
SHA1 hash:	3b68f307a518f4992989cdef3c0792a5db9c0088
MD5 hash:	16451c80f18ca7d30f2ef0760c725315
humanhash:	georgia-hotel-wisconsin-four
File name:	file
Download:	download sample
Signature	Meterpreter Create hunting rule
File size:	46'592 bytes
First seen:	2024-09-20 13:47:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fc2ca0dd2bd0f0a143659652556a192d (6 x Meterpreter, 1 x Metasploit)
ssdeep	768:j/6eAy7Qt0SIyMFKwg9/nBqy0bDiDXSZVixElkg40eO7cQn7DeWq3:z6eAT0zyMtYg7XiDGVwElkg97cQeWq3
Threatray	155 similar samples on MalwareBazaar
TLSH	T13623F0A287E82728E9FB69B646381E47A60AF90EC434D7DDD3D064EF88507001D1CB7B
TrID	52.9% (.EXE) Win32 Executable (generic) (4504/4/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	jstrosch
Tags:	exe Meterpreter

jstrosch

Found at hxxp://89.197.154[.]116/Tracker.exe by #subcrawl

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-09-20 13:49:18 UTC

Tags:

mpress metasploit

Link:

https://app.any.run/tasks/69abeb8c-f931-43e3-a1bb-cef1bea1cd78

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Swrort-5710536-0

Win.Trojan.Agent-1385408

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ed7d19f129e67ada901833

Tags:

Stealth Shellcode

Result

Verdict:

Clean

Maliciousness:

Behaviour

Connection attempt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

epmpress mpress packed packed packed rozena swrort

Link:

https://www.filescan.io/uploads/66ed7d185e9303a294233db9/reports/52232eef-54ec-4347-a84b-718f41e2b9bc/overview

Verdict:

Malicious

Labled as:

GenPack:Generic.ShellCode.Marte.3

Link:

https://www.hybrid-analysis.com/sample/b866fef4739496f6d000c5ac95d774d0515941f4c93f60d3bade20a7a5e0fe14

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f31d623a-164d-467a-88c8-c772dc3f697c

Result

Threat name:

Metasploit

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1514525

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b866fef4739496f6d000c5ac95d774d0515941f4c93f60d3bade20a7a5e0fe14

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b866fef4739496f6d000c5ac95d774d0515941f4c93f60d3bade20a7a5e0fe14/

Threat name:

Win32.Backdoor.Meterpreter

Status:

Malicious

First seen:

2024-09-15 04:29:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 38 (81.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xbtp55dtsslpnuaaywwjlv3u2bivsqpuze7wbu523yqkpjpa7yka._file

Verdict:

malicious

Label(s):

metasploit

Meterpreter

28894ebd9537959f6d45cb8f5cd21fcff66472820f5e8bcc6944276fa32c2623

Meterpreter

472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1

Meterpreter

7c81d05dd82233e0278c83ca0b1a3b3ad9f0fa4b8b56bef98bba964752369754

Meterpreter

9ca8dc8342e23488434e9dd93ce915c1a562ab0f8b4a5e9c4d994e78fcddf5d2

Meterpreter

9d1a249ea5a3b916fb22868b1603d9acefe912afc472830fa074ba873b55759b

Meterpreter

b8f10c23448f6d30808e7e74322ebd4121cf2c589c86cc3b0b57df6c705a867e

Meterpreter

f8d665d64793bd0d9c015c19f5eef47e7ece8e03f932e98bec38483dc2afdaad

Meterpreter

+ 145 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:metasploit backdoor discovery trojan

Link:

https://tria.ge/reports/240920-q34ycszaqc/

Behaviour

System Location Discovery: System Language Discovery

MetaSploit

Malware Config

C2 Extraction:

89.197.154.116:7810

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d46ab863-b80f-43ef-9b26-6712d8facd7c

Unpacked files

SH256 hash:

d1108a3d87f3d1d6cb5aeab4ca30874e5288d38975a39076bced2ef2739c1f23

MD5 hash:

3d1411a5231420965cbb1f1266461920

SHA1 hash:

e98bc465732fe73ff9493d4f7077b6db278c20a1

Detections:

CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x

Link:

https://www.unpac.me/results/c4f26f29-aabf-4c64-bec9-0ca9afb7d7e3/

SH256 hash:

b866fef4739496f6d000c5ac95d774d0515941f4c93f60d3bade20a7a5e0fe14

MD5 hash:

16451c80f18ca7d30f2ef0760c725315

SHA1 hash:

3b68f307a518f4992989cdef3c0792a5db9c0088

Link:

https://www.unpac.me/results/c4f26f29-aabf-4c64-bec9-0ca9afb7d7e3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b866fef4739496f6d000c5ac95d774d0515941f4c93f60d3bade20a7a5e0fe14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	mpress_2_xx_x86 Create hunting rule
Author:	Kevin Falcoz
Description:	MPRESS v2.XX x86 - no .NET

Rule name:	TeslaCryptPackedMalware Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Meterpreter

exe b866fef4739496f6d000c5ac95d774d0515941f4c93f60d3bade20a7a5e0fe14

(this sample)

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::FreeSid
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::WSARecv

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample