MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meterpreter


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824
SHA3-384 hash: 9508cf8befb440b6285765c70473b4941d6c5ae0f9dc6a8df29632dae27d5aa5233ad1b5dfae5505856ad906118a5feb
SHA1 hash: 85f251daceae9c6ad22603adf933f7aa168b11e5
MD5 hash: 607c6d8db5ef07ff6dc6e21ebbe07ab5
humanhash: yankee-cold-october-south
File name:Pay Increase contract.docx.exe
Download: download sample
Signature Meterpreter
Create hunting rule
File size:665'120 bytes
First seen:2023-11-16 20:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 12288:3BdlwHRn+WlYV+N0XNiGihLxD2GrNfXbm:3BkVdlYACiGiCWNfbm
Threatray 10 similar samples on MalwareBazaar
TLSH T1DBE48B43B6E410B0D431D631F862B621277A7CE12A33F56E3E96F56A8D33AC3063575A
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e49e262224242624 (1 x Meterpreter)
Reporter smica83
Tags:exe HUN Meterpreter

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
Meterpreter
Create hunting rule
Link:
https://www.capesandbox.com/analysis/458877/
Detection(s):
Win.Packed.Babar-10012967-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm control greyware installer lolbin lolbin masquerade overlay packed packed remote replace setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/6556762d6fbed918836373c9/reports/72461823-d594-447b-9ca8-2bf55b7d58f6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Meterpreter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02ecb49b-784f-4d6b-816c-9eff145b8270
Result
Threat name:
Metasploit, Meterpreter
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1343812
Signature
Antivirus detection for dropped file
Contains functionality to inject threads in other processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Metasploit Payload
Yara detected Meterpreter
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824/
Threat name:
Win32.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2023-11-16 16:46:22 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lbh5jqg473bxha2artscky23t7acba5zcefuxjsebijxg4bfasa._file
Verdict:
malicious
Similar samples:
332f53344cec91ce2c8ed1e2e792e953002fa25ecb8fcd952f512ab0bc367dea
Meterpreter
690e1f519a5ca9a1698ae738ca06c030380779a1a989cefb6dff7025e4c5baed
Meterpreter
7beb0930c77897b1ff9250bd60a7b2e72738942caa53a5ebee1524032c83a940
Meterpreter
8270d45e0ff9f3bf19cb0bcaf72e21190d3c404ccd79e7b773b4ba3b915f37cd
Meterpreter
8462485220bfcba052d89e06bb3eaf38343b92bc246e391050f6019e70dba6a6
Meterpreter
990c81ff3bcd5d3b332e34c57462a3560c588322828d3953266e801eb4e52c2e
Meterpreter
b13f42d26dbbe2481ff01fe2987be00bd907d203db78f5384fc12273708b4a09
Meterpreter
b51709630a436f1dd145827a713f629c9b50d8b249e804381811a1fbff93994a
Meterpreter
d909148e5963b054bf85ad82cbd20312b117a4eea3c9f613f866a9438e99a0fe
Meterpreter
eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824
Meterpreter
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor trojan
Link:
https://tria.ge/reports/231116-yvdp7sfb79/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
MetaSploit
Unpacked files
SH256 hash:
3d7a14efafbbc7b9b2f8cc5973c96ba7387b5f263722f3c15cf79bb9addac2a1
MD5 hash:
e74d115bea3b1f67d17430d9417aa71b
SHA1 hash:
2da8d8a2e5a4e3bc472a3a2d7579b397705f4e59
Detections:
MALWARE_Win_Meterpreter
Create hunting rule
Link:
https://www.unpac.me/results/62a874cf-35c4-4c06-a782-1f79d0d59e99/
SH256 hash:
4d3257353f25475d7c946287e5041ff23c1b704097ebefec9949e0b3beadf0f9
MD5 hash:
9be0e5ae9b8307dee7c6dc213a6713f2
SHA1 hash:
b546ddb37b66393cdf5c6c1fd6dcf4025f568ea3
Detections:
MALWARE_Win_Meterpreter
Create hunting rule
SUSP_Imphash_Mar23_2
Create hunting rule
Hunting_Rule_ShikataGaNai
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/62a874cf-35c4-4c06-a782-1f79d0d59e99/
SH256 hash:
be207ed23c0aac5536d748240b752eea21d01dc81a03390ec6807c33bbba6181
MD5 hash:
6deeba29d7868e16a4b0f9fe320ece6d
SHA1 hash:
fe0fad1ff42c2e9ce82a2639796547ed24a4d860
Detections:
SUSP_Imphash_Mar23_2
Create hunting rule
Hunting_Rule_ShikataGaNai
Create hunting rule
Link:
https://www.unpac.me/results/62a874cf-35c4-4c06-a782-1f79d0d59e99/
SH256 hash:
eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824
MD5 hash:
607c6d8db5ef07ff6dc6e21ebbe07ab5
SHA1 hash:
85f251daceae9c6ad22603adf933f7aa168b11e5
Link:
https://www.unpac.me/results/62a874cf-35c4-4c06-a782-1f79d0d59e99/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eac27ea606e7f61b9c1a0467212b1adcfe01041dc8885a5d3220509b9b812824

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_Meterpreter
Create hunting rule
Author:ditekSHen
Description:Detects Meterpreter payload
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Windows_Trojan_Metasploit_38b8ceec
Create hunting rule
Description:Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).
Rule name:Windows_Trojan_Metasploit_7bc0f998
Create hunting rule
Description:Identifies the API address lookup function leverage by metasploit shellcode
Rule name:Windows_Trojan_Metasploit_c9773203
Create hunting rule
Description:Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/458877/

Comments