SYMBOLCOMMON_NAMEaka. SYNONYMS
win.meterpreter (Back to overview)

Meterpreter

There is no description at this point.

References
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2020-11-17cybleCyble
@online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-10-27US-CERTUS-CERT
@online{uscert:20201027:alert:cd5c1eb, author = {US-CERT}, title = {{Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky}}, date = {2020-10-27}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-301a}, language = {English}, urldate = {2020-10-29} } Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark Meterpreter Kimsuky
2020-10-11Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-01WiredAndy Greenberg
@online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-09-24US-CERTUS-CERT
@online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2018-10Group-IBGroup-IB
@techreport{groupib:201810:hitech:420711f, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2018}}, date = {2018-10}, institution = {Group-IB}, url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf}, language = {English}, urldate = {2021-02-09} } Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter
2017-12-11Group-IBGroup-IB
@techreport{groupib:20171211:moneytaker:49776be, author = {Group-IB}, title = {{MoneyTaker 1.5 YEARS OF SILENT OPERATIONS}}, date = {2017-12-11}, institution = {Group-IB}, url = {https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf}, language = {English}, urldate = {2021-02-09} } MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter
2017-06-09MorphisecMichael Gorelik
@online{gorelik:20170609:fin7:3be08a2, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2020-09-04} } FIN7 Takes Another Bite at the Restaurant Industry
Meterpreter Anunak
2011-07-10Michael Schierl
@online{schierl:20110710:facts:fb33368, author = {Michael Schierl}, title = {{Facts and myths about antivirus evasion with Metasploit}}, date = {2011-07-10}, url = {http://schierlm.users.sourceforge.net/avevasion.html}, language = {English}, urldate = {2020-08-24} } Facts and myths about antivirus evasion with Metasploit
Meterpreter
Yara Rules
[TLP:WHITE] win_meterpreter_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_meterpreter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bb914f68b45 c86a0051 8b4d0c 52 8b5508 7751 52 }
            // n = 7, score = 200
            //   8bb914f68b45         | mov                 edi, dword ptr [ecx + 0x458bf614]
            //   c86a0051             | enter               0x6a, 0x51
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   52                   | push                edx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   7751                 | ja                  0x53
            //   52                   | push                edx

        $sequence_1 = { 008b35a8c19f 006860 2f 0000 }
            // n = 4, score = 200
            //   008b35a8c19f         | add                 byte ptr [ebx - 0x603e57cb], cl
            //   006860               | add                 byte ptr [eax + 0x60], ch
            //   2f                   | das                 
            //   0000                 | add                 byte ptr [eax], al

        $sequence_2 = { 55 8bec d84b08 3ddc4e0000 7d15 }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   d84b08               | fmul                dword ptr [ebx + 8]
            //   3ddc4e0000           | cmp                 eax, 0x4edc
            //   7d15                 | jge                 0x17

        $sequence_3 = { 288a4b308808 8b16 40 4a 8916 7176 }
            // n = 6, score = 200
            //   288a4b308808         | sub                 byte ptr [edx + 0x888304b], cl
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   40                   | inc                 eax
            //   4a                   | dec                 edx
            //   8916                 | mov                 dword ptr [esi], edx
            //   7176                 | jno                 0x78

        $sequence_4 = { 8b4526 f7d1 49 8bf9 47 }
            // n = 5, score = 200
            //   8b4526               | mov                 eax, dword ptr [ebp + 0x26]
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   8bf9                 | mov                 edi, ecx
            //   47                   | inc                 edi

        $sequence_5 = { d3e6 8a4d10 4e 85f9 2a7405bb a8c2 40 }
            // n = 7, score = 200
            //   d3e6                 | shl                 esi, cl
            //   8a4d10               | mov                 cl, byte ptr [ebp + 0x10]
            //   4e                   | dec                 esi
            //   85f9                 | test                ecx, edi
            //   2a7405bb             | sub                 dh, byte ptr [ebp + eax - 0x45]
            //   a8c2                 | test                al, 0xc2
            //   40                   | inc                 eax

        $sequence_6 = { 8932 8b700c 83c204 4e 3bce 74ef ff9a0c8b5c03 }
            // n = 7, score = 200
            //   8932                 | mov                 dword ptr [edx], esi
            //   8b700c               | mov                 esi, dword ptr [eax + 0xc]
            //   83c204               | add                 edx, 4
            //   4e                   | dec                 esi
            //   3bce                 | cmp                 ecx, esi
            //   74ef                 | je                  0xfffffff1
            //   ff9a0c8b5c03         | lcall               [edx + 0x35c8b0c]

        $sequence_7 = { 83c410 3bf0 76e1 8bf0 }
            // n = 4, score = 200
            //   83c410               | add                 esp, 0x10
            //   3bf0                 | cmp                 esi, eax
            //   76e1                 | jbe                 0xffffffe3
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 884000 858840008c88 91 0093534000f4 }
            // n = 4, score = 200
            //   884000               | mov                 byte ptr [eax], al
            //   858840008c88         | test                dword ptr [eax - 0x7773ffc0], ecx
            //   91                   | xchg                eax, ecx
            //   0093534000f4         | add                 byte ptr [ebx - 0xbffbfad], dl

        $sequence_9 = { 01c7 05e002a800 0000 004dfc }
            // n = 4, score = 200
            //   01c7                 | add                 edi, eax
            //   05e002a800           | add                 eax, 0xa802e0
            //   0000                 | add                 byte ptr [eax], al
            //   004dfc               | add                 byte ptr [ebp - 4], cl

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules