MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d1fbb35e0a41955bb9e49e3e765be71121a661ba0b374c5e352be5a87639240. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ShikataGaNai

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	0d1fbb35e0a41955bb9e49e3e765be71121a661ba0b374c5e352be5a87639240
SHA3-384 hash:	c2ea528fd6c099e95951e7a76285a6eb4af62b5aa78ba3395952cf86a2443b1c8be3fe7ffe1721a5c7f07a77c6a61a5c
SHA1 hash:	c6617ceea2106f76078c195a4a86cb7e6fc31507
MD5 hash:	b5d2585a9d50e788a37d6700ed8133cf
humanhash:	mountain-seven-sweet-india
File name:	b5d2585a_by_Libranalysis
Download:	download sample
Signature	ShikataGaNai Create hunting rule
File size:	73'802 bytes
First seen:	2021-05-05 08:05:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	481f47bbb2c9c21e108d65f52b04c448 (257 x Meterpreter, 93 x Metasploit, 33 x ShikataGaNai)
ssdeep	1536:IaOtrAo+1M0i1ELsmI4oSGEsKlJsM82pj9JaMb+KR0Nc8QsJq39:pXok21EXI4qtFj2pj9oe0Nc8QsC9
Threatray	9 similar samples on MalwareBazaar
TLSH	CB73BF42D5C42112D1A6127D2AB63BB65A71F1F73605C1EA3A8CCCF5EBD0DB0A6263C7
Reporter	Libranalysis
Tags:	ShikataGaNai

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

testing.exe

Verdict:

Malicious activity

Analysis date:

2021-05-05 08:03:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3af304e0-71ef-4634-99d4-1797cff8cc9c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

lsadump

Link:

https://www.capesandbox.com/analysis/149995/

Detection(s):

Win.Trojan.Swrort-5710536-0

BC.Win.Trojan.Swrort-17210

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7d144e7c-f0aa-4961-b9a0-a2fd2e325f75

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0d1fbb35e0a41955bb9e49e3e765be71121a661ba0b374c5e352be5a87639240/

Threat name:

Win32.Trojan.Swrort

Status:

Malicious

First seen:

2021-05-05 08:05:20 UTC

AV detection:

38 of 47 (80.85%)

Threat level:

5/5

Verdict:

unknown

ShikataGaNai

2339489be44f93b61688ee3b65d0bd2fede5f6dd494588a6268602d2f006bd16

ShikataGaNai

40a2ace8bb6e3d7d50bb346344789c2fafd25490fdaa982134aaacce6f971995

ShikataGaNai

602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9

ShikataGaNai

690be9e806f882774ab1347302bd92236a16499f160f37e59992c220466493c0

ShikataGaNai

8a99a4c58ef5e27d112f0efb4719abe01bcddb5e516114711ee4991f7922ab5f

ShikataGaNai

bd5ebf9632ad17e9a39393ab94ef055307ec053486fe703e2a614de391bc4a65

ShikataGaNai

e50d52fbac295a37f0ed0b724d4ddafca8c86bcd2391b4c481d51d5e279afd20

ShikataGaNai

fefb3c7053a1332b03a4c0523862e8e387a5065b263cf10cb0d7f33f02afc646

ShikataGaNai

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:cobaltstrike family:metasploit backdoor trojan

Link:

https://tria.ge/reports/210505-v9pad3nwg2/

Behaviour

Cobaltstrike

MetaSploit

Malware Config

C2 Extraction:

13.59.15.185:16297

Unpacked files

SH256 hash:

0d1fbb35e0a41955bb9e49e3e765be71121a661ba0b374c5e352be5a87639240

MD5 hash:

b5d2585a9d50e788a37d6700ed8133cf

SHA1 hash:

c6617ceea2106f76078c195a4a86cb7e6fc31507

Link:

https://www.unpac.me/results/988cebce-379d-478d-a1b2-a6210400ee1f/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Hunting_Rule_ShikataGaNai Create hunting rule
Author:	Steven Miller
Reference:	https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	MALWARE_Win_Meterpreter Create hunting rule
Author:	ditekSHen
Description:	Detects Meterpreter payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/149995/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample