SYMBOLCOMMON_NAMEaka. SYNONYMS
win.meterpreter (Back to overview)

Meterpreter

VTCollection    

There is no description at this point.

References
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2023-09-07CISACISA
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
Meterpreter MimiKatz
2023-08-22AhnLabSanseo
Analysis of APT Attack Cases Targeting Web Services of Korean Corporations
Ladon Meterpreter MimiKatz Dalbit
2023-06-08VMRayPatrick Staubmann
Busy Bees - The Transformation of BumbleBee
BumbleBee Cobalt Strike Conti Meterpreter Sliver
2023-05-22AhnLabASEC
Kimsuky Group Using Meterpreter to Attack Web Servers
Kimsuky Meterpreter
2023-04-24Kaspersky LabsIvan Kwiatkowski, Pierre Delcher
Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour Tomiris
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2022-10-03Check PointMarc Salinas Fernandez
Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-09-26The DFIR ReportThe DFIR Report
BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter
2022-09-14CybereasonDerrick Masters, Loïc Castel
THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for Evasion and Persistence
Meterpreter
2022-09-06AT&TOfer Caspi
Shikitega - New stealthy malware targeting Linux
BotenaGo EnemyBot Meterpreter Monero Miner
2022-09-06Check PointCheck Point Research
DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa
AsyncRAT Meterpreter PoshC2 DangerousSavanna
2022-09-01Medium michaelkoczwaraMichael Koczwara
Hunting C2/Adversaries Infrastructure with Shodan and Censys
Brute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver
2022-08-30ProofpointMichael Raggi, PWC UK, Sveva Vittoria Scenarelli
Rising Tide: Chasing the Currents of Espionage in the South China Sea
scanbox Meterpreter APT40
2022-08-18SophosSean Gallagher
Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT
2022-07-18Palo Alto Networks Unit 42Unit 42
Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus
2022-07-07IBMCharlotte Hammond, Kat Weinberger, Ole Villadsen
Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-06-01ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-05-05Cisco TalosAliza Berk, Asheer Malhotra, Jung soo An, Justin Thattil, Kendall McKay
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX Unidentified 094
2022-04-26Trend MicroLord Alfred Remorin, Ryan Flores, Stephen Hilt
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT
2022-01-25CynetOrion Threat Research and Intelligence Team
Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky
2021-12-20Bleeping ComputerLawrence Abrams
Log4j vulnerability now used to install Dridex banking malware
DoppelDridex Meterpreter
2021-09-16LumenBlack Lotus Labs
No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders
PrivetSanya Meterpreter
2021-09-07Counter CraftCounter Craft
Shellcode Detection Using Real-Time Kernel Monitoring
Meterpreter
2021-09-02AhnLabASEC Analysis Team
Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-02SophosSean Gallagher
AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-03-25Recorded FutureInsikt Group®
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX
2021-01-07Recorded FutureInsikt Group®
Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER
2020-11-17cybleCyble
OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-10-27US-CERTUS-CERT
Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark GREASE MECHANICAL Meterpreter Kimsuky
2020-10-11Github (StrangerealIntel)StrangerealIntel
Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-01WiredAndy Greenberg
Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-09-24US-CERTUS-CERT
Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2018-10-04Kaspersky LabsGReAT
Shedding Skin – Turla’s Fresh Faces
KopiLuwak Agent.BTZ Cobra Carbon System Gazer Meterpreter Mosquito Skipper
2018-10-01Group-IBGroup-IB
Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter
2017-12-11Group-IBGroup-IB
MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter
2017-06-09MorphisecMichael Gorelik
FIN7 Takes Another Bite at the Restaurant Industry
Meterpreter FIN7
2011-07-10Michael Schierl
Facts and myths about antivirus evasion with Metasploit
Meterpreter
Yara Rules
[TLP:WHITE] win_meterpreter_auto (20230808 | Detects win.meterpreter.)
rule win_meterpreter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.meterpreter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec dcec 088b55895356 108b3a85ff89 7dfc 750e }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   dcec                 | fsub                st(4), st(0)
            //   088b55895356         | or                  byte ptr [ebx + 0x56538955], cl
            //   108b3a85ff89         | adc                 byte ptr [ebx - 0x76007ac6], cl
            //   7dfc                 | jge                 0xfffffffe
            //   750e                 | jne                 0x10

        $sequence_1 = { fc b8c0150000 8b7508 33e5 257e040275 238b1d6a016a 006a00 }
            // n = 7, score = 200
            //   fc                   | cld                 
            //   b8c0150000           | mov                 eax, 0x15c0
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   33e5                 | xor                 esp, ebp
            //   257e040275           | and                 eax, 0x7502047e
            //   238b1d6a016a         | and                 ecx, dword ptr [ebx + 0x6a016a1d]
            //   006a00               | add                 byte ptr [edx], ch

        $sequence_2 = { f1 57 52 bc40e84fff 38ff 83db14 5f }
            // n = 7, score = 200
            //   f1                   | int1                
            //   57                   | push                edi
            //   52                   | push                edx
            //   bc40e84fff           | mov                 esp, 0xff4fe840
            //   38ff                 | cmp                 bh, bh
            //   83db14               | sbb                 ebx, 0x14
            //   5f                   | pop                 edi

        $sequence_3 = { 314319 034319 83ebfc 0acb }
            // n = 4, score = 200
            //   314319               | xor                 dword ptr [ebx + 0x19], eax
            //   034319               | add                 eax, dword ptr [ebx + 0x19]
            //   83ebfc               | sub                 ebx, -4
            //   0acb                 | or                  cl, bl

        $sequence_4 = { 0000 68ffff0000 52 ffd7 8b2410 }
            // n = 5, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   68ffff0000           | push                0xffff
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   8b2410               | mov                 esp, dword ptr [eax + edx]

        $sequence_5 = { 8be5 5d c27f00 8d4df4 8d55ec }
            // n = 5, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c27f00               | ret                 0x7f
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   8d55ec               | lea                 edx, [ebp - 0x14]

        $sequence_6 = { 51 6a00 6a00 37 0052bf 15???????? 85c0 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   37                   | aaa                 
            //   0052bf               | add                 byte ptr [edx - 0x41], dl
            //   15????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_7 = { 8b451c 8d07 a4 52 8d4d18 50 }
            // n = 6, score = 200
            //   8b451c               | mov                 eax, dword ptr [ebp + 0x1c]
            //   8d07                 | lea                 eax, [edi]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   52                   | push                edx
            //   8d4d18               | lea                 ecx, [ebp + 0x18]
            //   50                   | push                eax

        $sequence_8 = { 41 00ff 15???????? 33c0 c3 7790 55 }
            // n = 7, score = 200
            //   41                   | inc                 ecx
            //   00ff                 | add                 bh, bh
            //   15????????           |                     
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   7790                 | ja                  0xffffff92
            //   55                   | push                ebp

        $sequence_9 = { 83ec08 53 8b4708 57 33ff 85db }
            // n = 6, score = 200
            //   83ec08               | sub                 esp, 8
            //   53                   | push                ebx
            //   8b4708               | mov                 eax, dword ptr [edi + 8]
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   85db                 | test                ebx, ebx

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules