Meterpreter
Metasploit-native extensible RAT/stager framework. The payload observed here is the
windows/x64/meterpreter/reverse_tcp stager: a position-independent, minimal PE
or raw shellcode that connects back, downloads a second-stage DLL, and executes
it in memory.
Build Stack Typically Observed
- Self-assembled in-memory; no traditional compiler toolchain (PE is a thin wrapper around raw shellcode) ^[pefile.txt:4]
- Generated by
msfvenomor Metasploit Frameworkpayload/windows/x64/meterpreter/reverse_tcp - PE wrapper: tiny
.textstub (unreached in this sample) + RWX.mmmv/.datasection holding raw shellcode ^[pefile.txt:81-101,163-176] - Single IAT import (
VirtualProtect) that the shellcode itself never uses (decoy / vestigial) ^[pefile.txt:234-244] - Compile timestamp often recent relative to analysis date; not a reliable age indicator (trivially patched) ^[pefile.txt:39]
Deploy / TTPs
| Technique | ATT&CK ID | Observed |
|---|---|---|
| PE export address table walking (PEB-based API resolution) | T1014 / T1562.001 adj. | Yes ^[r2:entry0] |
| ROR13 hash API resolution | — | Yes ^[r2:entry0] |
| Reverse TCP C2 stager | T1071 | Yes ^[r2:fcn.1400050d6] |
| Download & execute in RWX memory | T1055 / T1620 | Yes ^[r2:fcn.1400050d6] |
| RWX section for payload staging | T1055.012 | Yes ^[pefile.txt:163-176] |
| Hard-coded sockaddr_in in shellcode body | — | Yes ^[xxd:0x1af2] |
Variants / Aliases
windows/x64/meterpreter/reverse_tcpwindows/x64/meterpreter/reverse_httpswindows/x64/meterpreter/reverse_winhttp- Raw shellcode variants (non-PE) use identical connect/recv/exec logic
Capabilities
peb-walking-api-resolutionror13-hash-api-resolutionreverse-tcp-stagerwin32-socket-stage-downloadrwx-memory-payload-stagingsecond-stage-recv-loopvirtualalloc-exec-staginghardcoded-sockaddr-in-configsingle-import-decoy-iat
Notable Analyses
- /intel/analyses/5da21aa2beec633508152233d9560c81e19a73e2b85e2f33ec15aac629f9c7ca.html — x64 reverse_tcp stager, C2 202.10.47.112:5555
Related
- techniques/peb-walking-api-resolution