MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3aa8b48943271389fab59507ffb415d080d8ea925ede759a73e343defd0697d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Meterpreter

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 22 File information Comments

SHA256 hash:	e3aa8b48943271389fab59507ffb415d080d8ea925ede759a73e343defd0697d
SHA3-384 hash:	3f59b9532d6e8ea381a989e546a6d5e29e470ea9a050961cf510f025ea044fa6aba42c980470f0e1b999c2599a2cb89e
SHA1 hash:	821d28820357d8c1fad079c355a5275cdbb451d3
MD5 hash:	5a017ef79bfc83afbb599866047f78d8
humanhash:	ink-orange-glucose-robin
File name:	w.exe
Download:	download sample
Signature	Meterpreter Create hunting rule
File size:	7'168 bytes
First seen:	2026-02-08 18:10:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c2d02fc98f1d75d7b9457468ec75da0e (6 x Meterpreter)
ssdeep	24:eFGSG9wSDUInMy58XZh9h9ClfAh58AbhIAJU4up+:iG+ixMyeXZh9hMlu58AbxJU4b
Threatray	1 similar samples on MalwareBazaar
TLSH	T1A2E123A3A2365CF7F7391B7C414397C660FC773402D30A4D1A6808565191E18BCE4F93
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Meterpreter

abuse_ch

Meterpreter C2:
83.31.173.20:41144

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
83.31.173.20:41144	https://threatfox.abuse.ch/ioc/1743424/

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MetaSploit

Details

MetaSploit

a c2 socket address

Link:

https://research.acce.ciphertechsolutions.com/results/8df5fe9b-2d75-4150-af7d-3bf4120f4002/

Malware family:

n/a

ID:

File name:

w.exe

Verdict:

No threats detected

Analysis date:

2026-02-08 17:56:37 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7ba2fef0-43f3-4327-bb4b-3025dbbaa69f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rozena

Link:

https://www.capesandbox.com/analysis/52700/

Detection(s):

Win.Trojan.MSF_Shellcode-1

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6988ce5542fd65534ccd932b

Tags:

shellcode rozena trojan virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cobalt cobalt crypt microsoft_visual_cc packed rozena swrort xpack

Link:

https://www.filescan.io/uploads/6988d18d981ff1d38a4d535a/reports/f60cf5cb-9c98-405b-9d5c-c7d304b0fa52/overview

Verdict:

Malicious

Labled as:

ShellCode.Marte.3.Generic

Link:

https://www.hybrid-analysis.com/sample/e3aa8b48943271389fab59507ffb415d080d8ea925ede759a73e343defd0697d

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

Detections:

HEUR:Trojan.Win32.Generic Trojan.Win32.Shelm.c Trojan.Win32.Rekvex.sb HEUR:Trojan.Win32.Shella.gen HackTool.Meterpreter.TCP.C&C

Link:

https://opentip.kaspersky.com/e3aa8b48943271389fab59507ffb415d080d8ea925ede759a73e343defd0697d/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b8d22241-ac17-4609-a1ae-4a0698658464

Result

Threat name:

Metasploit

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1865687

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e3aa8b48943271389fab59507ffb415d080d8ea925ede759a73e343defd0697d

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/5a017ef79bfc83afbb599866047f78d8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3aa8b48943271389fab59507ffb415d080d8ea925ede759a73e343defd0697d/

Verdict:

Malicious

Threat:

Family.METASPLOIT

Link:

https://tip.neiki.dev/file/e3aa8b48943271389fab59507ffb415d080d8ea925ede759a73e343defd0697d

Threat name:

Win32.Backdoor.Meterpreter

Status:

Malicious

First seen:

2026-02-08 17:56:59 UTC

File Type:

PE (Exe)

AV detection:

31 of 36 (86.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4oviwseugjytrh5llfih762bluea3dvjexw6ownhhy2d336qnf6q._file

Verdict:

malicious

Label(s):

metasploit

Similar samples:

error

Meterpreter

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:metasploit backdoor discovery trojan

Link:

https://tria.ge/reports/260208-wr668sew9f/

Behaviour

System Location Discovery: System Language Discovery

MetaSploit

Metasploit family

Malware Config

C2 Extraction:

83.31.173.20:41144

Unpacked files

SH256 hash:

e3aa8b48943271389fab59507ffb415d080d8ea925ede759a73e343defd0697d

MD5 hash:

5a017ef79bfc83afbb599866047f78d8

SHA1 hash:

821d28820357d8c1fad079c355a5275cdbb451d3

Link:

https://www.unpac.me/results/d74c6cf0-a571-4af0-9ae8-65d5455a0427/

Malware family:

Metasploit

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e3aa8b489432/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	lsadump Create hunting rule
Author:	Benjamin DELPY (gentilkiwi)
Description:	LSA dump programe (bootkey/syskey) – pwdump and others

Rule name:	MALWARE_Win_Meterpreter Create hunting rule
Author:	ditekSHen
Description:	Detects Meterpreter payload

Rule name:	metasploit_rev_tcp_32 Create hunting rule
Author:	Javier Rascon

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	Rozena Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Metasploit_0cc81460 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Metasploit_38b8ceec Create hunting rule
Description:	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).

Rule name:	Windows_Trojan_Metasploit_4a1c4da8 Create hunting rule
Author:	Elastic Security
Description:	Identifies Metasploit 64 bit reverse tcp shellcode.

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Create hunting rule
Description:	Identifies the API address lookup function leverage by metasploit shellcode

Rule name:	Windows_Trojan_Metasploit_96233b6b Create hunting rule
Author:	Elastic Security
Description:	Identifies another 64 bit API hashing function used by Metasploit.

Rule name:	Windows_Trojan_Metasploit_c9773203 Create hunting rule
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/52700/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample