MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d87a6bd9df4c47a98929367f5fff171baf3256be9860d26add8d4a59b854b689. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Meterpreter

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	d87a6bd9df4c47a98929367f5fff171baf3256be9860d26add8d4a59b854b689
SHA3-384 hash:	4ba9be39663ae60f8c9df092c7dc6542981bfbae4338d5c0ee0be4db0f21ec1de426c70df0604a2754e5787a173a01a2
SHA1 hash:	5325ca380b503a78063a5a18700ce7abc5a6cde8
MD5 hash:	c2ba90e32311d1f2c9e2f3d101f2ff52
humanhash:	july-finch-double-mockingbird
File name:	SecuriteInfo.com.Win32.MalwareX-gen.24544.17007
Download:	download sample
Signature	Meterpreter Create hunting rule
File size:	480'256 bytes
First seen:	2025-04-25 21:41:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c862319402beb73a935051cddd29575d (1 x Meterpreter)
ssdeep	12288:5I62w9LoEpFwu+/RqIARebBhKs4k0Db4wcrK4BU:5tV9LoEpFWRqIQcW2rK
Threatray	113 similar samples on MalwareBazaar
TLSH	T18CA46A3FD790C72ED3B14034112BC7A82A6DB6725F3206C7F7B09DA4BA646DB4936612
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe Meterpreter

Intelligence

File Origin

# of uploads :

# of downloads :

523

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.24544.17007

Verdict:

No threats detected

Analysis date:

2025-04-25 21:41:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/48b9b886-9bca-4730-be6d-c2d450d921c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Meterpreter

Link:

https://www.capesandbox.com/analysis/4146/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.24544.17007.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=680c0491a37ff28e1299d8c9

Tags:

vmdetect virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm entropy exploit microsoft_visual_cc packed packed packer_detected swrort

Link:

https://www.filescan.io/uploads/680c01b7212716475faf1cdb/reports/7e3570aa-2984-4931-81f9-be05ffaec43c/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/d87a6bd9df4c47a98929367f5fff171baf3256be9860d26add8d4a59b854b689

Malware family:

Metasploit Framework

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5daee819-58c5-4ca9-ad82-ef287ac63875

Result

Threat name:

Meterpreter

Detection:

malicious

Classification:

rans.troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1674523

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes a notice file (html or txt) to demand a ransom

Yara detected Meterpreter

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d87a6bd9df4c47a98929367f5fff171baf3256be9860d26add8d4a59b854b689

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d87a6bd9df4c47a98929367f5fff171baf3256be9860d26add8d4a59b854b689/

Threat name:

Win32.Trojan.Midie

Status:

Malicious

First seen:

2025-04-25 07:03:57 UTC

File Type:

PE (Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3b5gxwo7jrd2tcjjgz7v77yxdoxtevv6tbqne2w5rvfftocuw2eq._file

Verdict:

malicious

Label(s):

fogransomware_dropper

meterpreter

metasploit

Meterpreter

49d14c84d0bc31632505801ad374b96238f5a3b9b7c40dac0a27de8483e3a355

Meterpreter

56bfd939cc96e073fab263387b3088b200e63e6f61dba88f3cddc21e63a67cd2

Meterpreter

892178251f83482008477ccaa954fab33b711b5ef48377de57b69a2d266be916

Meterpreter

8a93cdc65705c26823e6224e067ecf833f2f81a6d61e2ad415e9aac4f706eb16

Meterpreter

c081174ab9326b2a9e552dd1b96017b51dd5212a8621d97144b697002baa2ef4

Meterpreter

d87a6bd9df4c47a98929367f5fff171baf3256be9860d26add8d4a59b854b689

Meterpreter

error

Meterpreter

+ 103 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250425-1kfg6atmw9/

Behaviour

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Checks system information in the registry

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8eee3598-3bb6-4f4a-b6a3-92e5d0946b62

Unpacked files

SH256 hash:

d87a6bd9df4c47a98929367f5fff171baf3256be9860d26add8d4a59b854b689

MD5 hash:

c2ba90e32311d1f2c9e2f3d101f2ff52

SHA1 hash:

5325ca380b503a78063a5a18700ce7abc5a6cde8

Link:

https://www.unpac.me/results/fea53066-0433-4f67-9efd-dcc8c1f3fb58/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d87a6bd9df4c47a98929367f5fff171baf3256be9860d26add8d4a59b854b689

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Sandworm_ArguePatch_Apr_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/4146/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeA KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::GetSystemDirectoryA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegGetValueA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample