MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meterpreter


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054
SHA3-384 hash: 80c591fcd44268c23e12159bca3adddf6811027eb627f41a7d1dd2549384aee88fd76cb163bf6c394ee877b8d14a208c
SHA1 hash: 78524f4d742e5d0e073460fc9bca56fb92cf7bf4
MD5 hash: eb6ab5c7b011e08a2b38ec567674b4e6
humanhash: illinois-leopard-double-illinois
File name:dbghelp.dll
Download: download sample
Signature Meterpreter
Create hunting rule
File size:34'816 bytes
First seen:2025-11-01 18:33:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dce7cc2e812752626738e292c0a0288 (1 x Meterpreter)
ssdeep 384:+dYgj+lCdJOSNxwy2jvDCeOZBNDbD67jXtAfRm:7lCrGy2jWeOZBNDbD6nXtAm
Threatray 1 similar samples on MalwareBazaar
TLSH T124F2C3A116324C7CD8F84B74DC77FAEE87A2F60E9281AA3591483185FC7155B1E309FA
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter smica83
Tags:exe Meterpreter

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dbghelp.dll
Verdict:
No threats detected
Analysis date:
2025-11-01 18:36:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1c44df23-4008-49a0-bb18-743534d20e5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34964/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690652889942f1282ecb353f
Tags:
malware
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm masquerade microsoft_visual_cc
Link:
https://www.filescan.io/uploads/69065283a3d163109526ca6d/reports/68511224-329d-4c44-a8a7-1bca469d68fb/overview
Verdict:
Suspicious
Labled as:
HEUR_Trojan_Win32_Generic
Link:
https://www.hybrid-analysis.com/sample/f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054
Verdict:
Malicious
File Type:
dll x64
First seen:
2025-10-30T08:17:00Z UTC
Last seen:
2025-11-02T04:43:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Generic Trojan.Win32.Shelma.a PDM:Exploit.Win32.Generic Trojan.Win64.Shelm.sb Trojan.Win32.Shelm.c Trojan.Win32.Shelm.a Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1f48ce6d-776e-45bf-9330-aa6c0fa38657
Result
Threat name:
Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1806327
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806327 Sample: dbghelp.dll.exe Startdate: 01/11/2025 Architecture: WINDOWS Score: 88 26 is25.in 2->26 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 8 loaddll64.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 8->10         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 23 other processes 8->18 dnsIp6 28 is25.in 145.223.79.199, 49717, 49718, 49726 VBA-ASNL Netherlands 10->28 38 Contains functionality to inject threads in other processes 10->38 20 WerFault.exe 20 16 10->20         started        40 System process connects to network (likely due to code injection or exploit) 14->40 22 WerFault.exe 16 16->22         started        24 rundll32.exe 18->24         started        signatures7 process8
Score:
16%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/eb6ab5c7b011e08a2b38ec567674b4e6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054/
Verdict:
Malicious
Threat:
Trojan.Win32.Shelm
Link:
https://tip.neiki.dev/file/f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-30 13:17:57 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vuo7vk3ekqbz5w35bnunww2uat5dhtjrltxaklmgx2vdbsnabka._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
error
Meterpreter
f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054
Meterpreter
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/251101-w7g72se19d/
Behaviour
Badlisted process makes network request
Unpacked files
SH256 hash:
f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054
MD5 hash:
eb6ab5c7b011e08a2b38ec567674b4e6
SHA1 hash:
78524f4d742e5d0e073460fc9bca56fb92cf7bf4
Link:
https://www.unpac.me/results/b139b772-f5ff-402a-9276-eb726aa496b2/
Malware family:
Metasploit
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f568efd55b22/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f568efd55b22a01cf6dbe85b46dadaa027d19e698ae770296c35f551864d0054

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34964/

Comments