MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a3b60496a793ee96a51fecf8690ef8312429a6b54d32f2a4424395c47b47fc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YellowCockatoo


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a3b60496a793ee96a51fecf8690ef8312429a6b54d32f2a4424395c47b47fc8
SHA3-384 hash: 12de9582c43c68241436e6b0e8346c3bc4ae38ebae67702d09f51165bf785ac905a4ef716a69fce45340fb67b5d17ece
SHA1 hash: 221f0ae0ac78e9271818b334422d984de1eaef9d
MD5 hash: 955ee766fec7775bbcd7c9257acc58b0
humanhash: nineteen-kentucky-cat-failed
File name:payload.dll
Download: download sample
Signature YellowCockatoo
Create hunting rule
File size:629'760 bytes
First seen:2023-10-30 20:56:15 UTC
Last seen:2023-10-31 11:44:00 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:kjm7Bnz9WXY7tXd84pdKG30bMTWuxYop35:EmzDpd8ug2
TLSH T192D4DE043BA4DC508B6D16E868EBA3078B2256A7DDFFFF170AA29170595B86347503CF
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter x3ph1
Tags:dll solarmarker YellowCockatoo

Intelligence

File Origin
# of uploads :
3
# of downloads :
347
Origin country :
US US
Vendor Threat Intelligence
Detection:
SolarMarker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/457196/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.31620.27934.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6540189f34de31f579ce41eb/reports/ff74216f-d38a-43b7-b7e2-b00d510e74c5/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/4a3b60496a793ee96a51fecf8690ef8312429a6b54d32f2a4424395c47b47fc8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Solarmarker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/70539dcb-812a-4ba0-9456-545369d947d3
Result
Threat name:
Jupyter
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1334538
Signature
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Yara detected Jupyter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1334538 Sample: payload.dll Startdate: 30/10/2023 Architecture: WINDOWS Score: 60 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected Jupyter 2->17 19 Sample uses string decryption to hide its real strings 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4a3b60496a793ee96a51fecf8690ef8312429a6b54d32f2a4424395c47b47fc8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a3b60496a793ee96a51fecf8690ef8312429a6b54d32f2a4424395c47b47fc8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-10-30 20:57:06 UTC
File Type:
PE (.Net Dll)
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ji5waslkpe7os2sr73hynehpqmjefgtlktjs6kseeq4vyr5up7ea._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231030-zrkj1shb47/
Unpacked files
SH256 hash:
4a3b60496a793ee96a51fecf8690ef8312429a6b54d32f2a4424395c47b47fc8
MD5 hash:
955ee766fec7775bbcd7c9257acc58b0
SHA1 hash:
221f0ae0ac78e9271818b334422d984de1eaef9d
Detections:
SolarmarkerStage2
Create hunting rule
Link:
https://www.unpac.me/results/e6f80f74-a7f3-47ce-8b73-2a21ab2ec259/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
solarmarker
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a3b60496a793ee96a51fecf8690ef8312429a6b54d32f2a4424395c47b47fc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:MALWARE_Win_SolarMarker
Create hunting rule
Author:ditekSHen
Description:Detects SolarMarker
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Solarmarker_Packer_May_2023
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:another version showing observed possible packer in hexdump at specific offset ranges.
Reference:http://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html
Rule name:win_solarmarker_bytecodes
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects bytecodes present in solarmarker Packer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457196/

Comments