YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 0ab1b7d53f88ff2e25dfb8bc4a30a97904ae7fe8b75542a5f830367ec8da20f4.

Scan Results


SHA256 hash: 0ab1b7d53f88ff2e25dfb8bc4a30a97904ae7fe8b75542a5f830367ec8da20f4
File size:200'704 bytes
File download: Original
MIME type:application/x-dosexec
MD5 hash: 249be8110fbdd61634226c12faaf3828
SHA1 hash: 71ccf1e219d59a224c7b662d3174956ded4ce9ef
SHA3-384 hash: b7fea8e759516ecca556e519bf78f99b88d832145b46534cf23c528f8c0391fff804cfd9e460628a2d2b187904f02e1d
First seen:2022-11-24 19:50:05 UTC
Last seen:Never
Sightings:1
imphash : 34d6d80682c8f9518e4151ef119baa51
ssdeep : 3072:loxcqIl6gM8/IpsWrjpfZ1ORwkVxjGNS1vK:6xSlLmbhezxjHK
TLSH : T1E9148D12B5818031D5BB527905BBAF221BBD7C310BB5DE5BABA45C890E741C0F33A767
telfhash :n/a
gimphash :n/a
dhash icon :n/a

Tasks


You can browse the 10 most recent tasks associated with this file blow.

Task Information


Task ID:315049a5-6c31-11ed-a71a-42010aa4000b
File name:2a40000.dll
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results


The file matched the following open source and commercial ClamAV rules.

Signature:Win.Exploit.Meterpreter-9777172-0

YARA Results


Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:MALWARE_Win_Meterpreter
Author:ditekSHen
Description:Detects Meterpreter payload
TLP:TLP:WHITE
Repository:ditekshen
Rule name:meth_get_eip
Author:Willi Ballenthin
TLP:TLP:WHITE
Repository:yaraify
Rule name:meth_peb_parsing
Author:Willi Ballenthin
TLP:TLP:WHITE
Repository:yaraify
Rule name:Windows_Trojan_Metasploit_38b8ceec
Author:Elastic Security
Description:Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_Metasploit_7bc0f998
Author:Elastic Security
Description:Identifies the API address lookup function leverage by metasploit shellcode
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_Metasploit_c9773203
Author:Elastic Security
Description:Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm
TLP:TLP:WHITE
Repository:elastic

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files


The following files could be unpacked from this sample.