YARAify Scan Results

Task Information

---

Task ID:	95fb34f0-aa06-11ed-866d-42010aa4000b
File name:	26a0000.dll
Task parameters:	ClamAV scan:	True
	Unpack:	False
	Share file:	True

ClamAV Results

---

The file matched the following open source and commercial ClamAV rules.

Signature:	Win.Tool.MeterPreter-6294292-0 Alert Create hunting rule

YARA Results

---

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:	APT_Lazarus_Loader_Dec_2020_1 Alert Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect loader used by Lazarus group in december 2020
Reference:	Internal Research
TLP:	TLP:WHITE
Repository:	StrangerealIntel

Rule name:	HKTL_Meterpreter_inMemory Alert Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Alert Create hunting rule
Author:	ditekSHen
Description:	detects Reflective DLL injection artifacts
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	meth_get_eip Alert Create hunting rule
Author:	Willi Ballenthin
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	meth_peb_parsing Alert Create hunting rule
Author:	Willi Ballenthin
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	ReflectiveLoader Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	Windows_Trojan_Metasploit_38b8ceec Alert Create hunting rule
Author:	Elastic Security
Description:	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_Metasploit_38b8ceec Alert Create hunting rule
Description:	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Alert Create hunting rule
Author:	Elastic Security
Description:	Identifies the API address lookup function leverage by metasploit shellcode
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_Metasploit_7bc0f998 Alert Create hunting rule
Description:	Identifies the API address lookup function leverage by metasploit shellcode
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_Metasploit_c9773203 Alert Create hunting rule
Author:	Elastic Security
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_Metasploit_c9773203 Alert Create hunting rule
Description:	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:	https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_Metasploit_dd5ce989 Alert Create hunting rule
Author:	Elastic Security
Description:	Identifies Meterpreter DLL used by Metasploit
Reference:	https://www.rapid7.com/blog/post/2015/03/25/stageless-meterpreter-payloads/
TLP:	TLP:WHITE
Repository:	elastic

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

---

The following files could be unpacked from this sample.