SYMBOLCOMMON_NAMEaka. SYNONYMS
win.meterpreter (Back to overview)

Meterpreter

There is no description at this point.

References
2020-11-17cybleCyble
@online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-10-27US-CERTUS-CERT
@online{uscert:20201027:alert:cd5c1eb, author = {US-CERT}, title = {{Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky}}, date = {2020-10-27}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-301a}, language = {English}, urldate = {2020-10-29} } Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark Meterpreter Kimsuky
2020-10-11Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-01WiredAndy Greenberg
@online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-09-24US-CERTUS-CERT
@online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2017-06-09MorphisecMichael Gorelik
@online{gorelik:20170609:fin7:3be08a2, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2020-09-04} } FIN7 Takes Another Bite at the Restaurant Industry
Meterpreter Anunak
2011-07-10Michael Schierl
@online{schierl:20110710:facts:fb33368, author = {Michael Schierl}, title = {{Facts and myths about antivirus evasion with Metasploit}}, date = {2011-07-10}, url = {http://schierlm.users.sourceforge.net/avevasion.html}, language = {English}, urldate = {2020-08-24} } Facts and myths about antivirus evasion with Metasploit
Meterpreter
Yara Rules
[TLP:WHITE] win_meterpreter_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_meterpreter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ad 128b9f088b69 d7 b340 00508c c1406874 d24000 }
            // n = 7, score = 100
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   128b9f088b69         | adc                 cl, byte ptr [ebx + 0x698b089f]
            //   d7                   | xlatb               
            //   b340                 | mov                 bl, 0x40
            //   00508c               | add                 byte ptr [eax - 0x74], dl
            //   c1406874             | rol                 dword ptr [eax + 0x68], 0x74
            //   d24000               | rol                 byte ptr [eax], cl

        $sequence_1 = { 0100 83ffd6 5f 6205???????? 5b 8be5 5d }
            // n = 7, score = 100
            //   0100                 | add                 dword ptr [eax], eax
            //   83ffd6               | cmp                 edi, -0x2a
            //   5f                   | pop                 edi
            //   6205????????         |                     
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_2 = { f7d8 52 50 8b4614 50 ff15???????? 85c0 }
            // n = 7, score = 100
            //   f7d8                 | neg                 eax
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 83c404 40 8906 8b24fc 97 d08b45f883c6 }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   40                   | inc                 eax
            //   8906                 | mov                 dword ptr [esi], eax
            //   8b24fc               | mov                 esp, dword ptr [esp + edi*8]
            //   97                   | xchg                eax, edi
            //   d08b45f883c6         | ror                 byte ptr [ebx - 0x397c07bb], 1

        $sequence_4 = { 2bd0 eb13 33d2 8b75af 85f6 75b1 }
            // n = 6, score = 100
            //   2bd0                 | sub                 edx, eax
            //   eb13                 | jmp                 0x15
            //   33d2                 | xor                 edx, edx
            //   8b75af               | mov                 esi, dword ptr [ebp - 0x51]
            //   85f6                 | test                esi, esi
            //   75b1                 | jne                 0xffffffb3

        $sequence_5 = { 8d2b 10a48a46045170 f5 50 94 }
            // n = 5, score = 100
            //   8d2b                 | lea                 ebp, [ebx]
            //   10a48a46045170       | adc                 byte ptr [edx + ecx*4 + 0x70510446], ah
            //   f5                   | cmc                 
            //   50                   | push                eax
            //   94                   | xchg                eax, esp

        $sequence_6 = { 8932 8b700c 83c204 4e 3bce 74ef ff9a0c8b5c03 }
            // n = 7, score = 100
            //   8932                 | mov                 dword ptr [edx], esi
            //   8b700c               | mov                 esi, dword ptr [eax + 0xc]
            //   83c204               | add                 edx, 4
            //   4e                   | dec                 esi
            //   3bce                 | cmp                 ecx, esi
            //   74ef                 | je                  0xfffffff1
            //   ff9a0c8b5c03         | lcall               [edx + 0x35c8b0c]

        $sequence_7 = { 0100 0000 8bcf 8b4514 bb???????? d3e6 8a4d10 }
            // n = 7, score = 100
            //   0100                 | add                 dword ptr [eax], eax
            //   0000                 | add                 byte ptr [eax], al
            //   8bcf                 | mov                 ecx, edi
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   bb????????           |                     
            //   d3e6                 | shl                 esi, cl
            //   8a4d10               | mov                 cl, byte ptr [ebp + 0x10]

        $sequence_8 = { 8b06 6a00 8d9afc8945f4 6a00 52 8b87047945f4 6a01 }
            // n = 7, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   6a00                 | push                0
            //   8d9afc8945f4         | lea                 ebx, [edx - 0xbba7604]
            //   6a00                 | push                0
            //   52                   | push                edx
            //   8b87047945f4         | mov                 eax, dword ptr [edi - 0xbba86fc]
            //   6a01                 | push                1

        $sequence_9 = { 1974c9ff d6 b080 fc 0a00 }
            // n = 5, score = 100
            //   1974c9ff             | sbb                 dword ptr [ecx + ecx*8 - 1], esi
            //   d6                   | salc                
            //   b080                 | mov                 al, 0x80
            //   fc                   | cld                 
            //   0a00                 | or                  al, byte ptr [eax]

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules