SYMBOLCOMMON_NAMEaka. SYNONYMS
win.meterpreter (Back to overview)

Meterpreter

There is no description at this point.

References
2021-12-20Bleeping ComputerLawrence Abrams
@online{abrams:20211220:log4j:1a80230, author = {Lawrence Abrams}, title = {{Log4j vulnerability now used to install Dridex banking malware}}, date = {2021-12-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/}, language = {English}, urldate = {2021-12-21} } Log4j vulnerability now used to install Dridex banking malware
DoppelDridex Meterpreter
2021-09-16Black Lotus LabsBlack Lotus Labs
@online{labs:20210916:no:7a40fbb, author = {Black Lotus Labs}, title = {{No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders}}, date = {2021-09-16}, organization = {Black Lotus Labs}, url = {https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/}, language = {English}, urldate = {2021-09-19} } No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders
PrivetSanya Meterpreter
2021-09-07Counter CraftCounter Craft
@online{craft:20210907:shellcode:dc30cfa, author = {Counter Craft}, title = {{Shellcode Detection Using Real-Time Kernel Monitoring}}, date = {2021-09-07}, organization = {Counter Craft}, url = {https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/}, language = {English}, urldate = {2021-09-14} } Shellcode Detection Using Real-Time Kernel Monitoring
Meterpreter
2021-09-02ASECAhnLab ASEC Analysis Team
@online{team:20210902:attacks:39695ea, author = {AhnLab ASEC Analysis Team}, title = {{Attacks using metasploit meterpreter}}, date = {2021-09-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/26705/}, language = {Korean}, urldate = {2021-09-09} } Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-02SophosSean Gallagher
@online{gallagher:20210602:amsi:084d0ba, author = {Sean Gallagher}, title = {{AMSI bypasses remain tricks of the malware trade}}, date = {2021-06-02}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/}, language = {English}, urldate = {2021-06-09} } AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-03-25Recorded FutureInsikt Group®
@online{group:20210325:suspected:5b0078f, author = {Insikt Group®}, title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}}, date = {2021-03-25}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/}, language = {English}, urldate = {2021-03-30} } Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021SecureworksSecureWorks
@online{secureworks:2021:threat:bce1d06, author = {SecureWorks}, title = {{Threat Profile: GOLD WINTER}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-winter}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c0ba914, author = {SecureWorks}, title = {{Threat Profile: GOLD FRANKLIN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-franklin}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6
2020-11-17cybleCyble
@online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-10-27US-CERTUS-CERT
@online{uscert:20201027:alert:cd5c1eb, author = {US-CERT}, title = {{Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky}}, date = {2020-10-27}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-301a}, language = {English}, urldate = {2020-10-29} } Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark Meterpreter Kimsuky
2020-10-11Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-01WiredAndy Greenberg
@online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-09-24US-CERTUS-CERT
@online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2018-10Group-IBGroup-IB
@techreport{groupib:201810:hitech:420711f, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2018}}, date = {2018-10}, institution = {Group-IB}, url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf}, language = {English}, urldate = {2021-02-09} } Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter
2017-12-11Group-IBGroup-IB
@techreport{groupib:20171211:moneytaker:49776be, author = {Group-IB}, title = {{MoneyTaker 1.5 YEARS OF SILENT OPERATIONS}}, date = {2017-12-11}, institution = {Group-IB}, url = {https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf}, language = {English}, urldate = {2021-02-09} } MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter
2017-06-09MorphisecMichael Gorelik
@online{gorelik:20170609:fin7:3be08a2, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2020-09-04} } FIN7 Takes Another Bite at the Restaurant Industry
Meterpreter FIN7
2011-07-10Michael Schierl
@online{schierl:20110710:facts:fb33368, author = {Michael Schierl}, title = {{Facts and myths about antivirus evasion with Metasploit}}, date = {2011-07-10}, url = {http://schierlm.users.sourceforge.net/avevasion.html}, language = {English}, urldate = {2020-08-24} } Facts and myths about antivirus evasion with Metasploit
Meterpreter
Yara Rules
[TLP:WHITE] win_meterpreter_auto (20211008 | Detects win.meterpreter.)
rule win_meterpreter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.meterpreter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 90 55 8bd2 51 a0???????? }
            // n = 5, score = 200
            //   90                   | nop                 
            //   55                   | push                ebp
            //   8bd2                 | mov                 edx, edx
            //   51                   | push                ecx
            //   a0????????           |                     

        $sequence_1 = { 005688 06 ef e8???????? 5f 33c0 }
            // n = 6, score = 200
            //   005688               | add                 byte ptr [esi - 0x78], dl
            //   06                   | push                es
            //   ef                   | out                 dx, eax
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { 1889198b4a14 ac 08894214c142 388d4a1185a1 }
            // n = 4, score = 200
            //   1889198b4a14         | sbb                 byte ptr [ecx + 0x144a8b19], cl
            //   ac                   | lodsb               al, byte ptr [esi]
            //   08894214c142         | or                  byte ptr [ecx + 0x42c11442], cl
            //   388d4a1185a1         | cmp                 byte ptr [ebp - 0x5e7aeeb6], cl

        $sequence_3 = { 55 8bec 8b4d08 56 8b41a8 }
            // n = 5, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   8b41a8               | mov                 eax, dword ptr [ecx - 0x58]

        $sequence_4 = { 8b6110 83c4c4 2bf0 8931 5e be9be55dc3 }
            // n = 6, score = 200
            //   8b6110               | mov                 esp, dword ptr [ecx + 0x10]
            //   83c4c4               | add                 esp, -0x3c
            //   2bf0                 | sub                 esi, eax
            //   8931                 | mov                 dword ptr [ecx], esi
            //   5e                   | pop                 esi
            //   be9be55dc3           | mov                 esi, 0xc35de59b

        $sequence_5 = { 15???????? 005ee6 e55d c3 8bbde0024100 52 }
            // n = 6, score = 200
            //   15????????           |                     
            //   005ee6               | add                 byte ptr [esi - 0x1a], bl
            //   e55d                 | in                  eax, 0x5d
            //   c3                   | ret                 
            //   8bbde0024100         | mov                 edi, dword ptr [ebp + 0x4102e0]
            //   52                   | push                edx

        $sequence_6 = { 6a38 895010 8b0e 8b512a }
            // n = 4, score = 200
            //   6a38                 | push                0x38
            //   895010               | mov                 dword ptr [eax + 0x10], edx
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8b512a               | mov                 edx, dword ptr [ecx + 0x2a]

        $sequence_7 = { 0000 8bfe 0c89 55 8e8d45ec0f51 f6593a }
            // n = 6, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   8bfe                 | mov                 edi, esi
            //   0c89                 | or                  al, 0x89
            //   55                   | push                ebp
            //   8e8d45ec0f51         | mov                 cs, word ptr [ebp + 0x510fec45]
            //   f6593a               | neg                 byte ptr [ecx + 0x3a]

        $sequence_8 = { 85f6 7508 8975f8 8975fc eb0d }
            // n = 5, score = 200
            //   85f6                 | test                esi, esi
            //   7508                 | jne                 0xa
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   eb0d                 | jmp                 0xf

        $sequence_9 = { aa e8???????? 8b7508 8a4de4 ce 06 }
            // n = 6, score = 200
            //   aa                   | stosb               byte ptr es:[edi], al
            //   e8????????           |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8a4de4               | mov                 cl, byte ptr [ebp - 0x1c]
            //   ce                   | into                
            //   06                   | push                es

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules