MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7
SHA3-384 hash: caec43cb7ed121713bb37e751beeee95dff67d0249a74ed730510b65d737b8947143407484569014c98c18c2f05cedd2
SHA1 hash: 25a3bb6c1d11fac492825178e5a4ca7c5a8c4910
MD5 hash: 1938a3545517650824657fd09ce4ee16
humanhash: mars-friend-high-river
File name:jp.exe
Download: download sample
File size:153'600 bytes
First seen:2024-04-20 11:33:47 UTC
Last seen:2024-04-20 12:26:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f9a28c458284584a93b14216308d31bd
ssdeep 1536:bcmdSR7NBuNA124hAsuDBajpQZfCT4DbAkfe9j5w35GKQTgtxjsWCtd7p9dlw2Qn:4mQD0Ar7pyPA8e9u35GKckxStXlp4Il
Threatray 1 similar samples on MalwareBazaar
TLSH T1BBE35B0773A531F9E1778238C9A64906F776787207619BAF0364477A2F233D0AD3AB61
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter smica83
Tags:APT44 exe JUICYPOTATONG Sandworm

Intelligence

File Origin
# of uploads :
2
# of downloads :
521
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7.exe
Verdict:
No threats detected
Analysis date:
2024-04-20 11:34:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5be8fdb3-ff98-4514-bc0c-9113bcac638c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP GET request
Forced system process termination
Verdict:
Malicious
Labled as:
Win/grayware_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
JuicyPotato
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5fffb966-e073-4f3f-868b-40ea5900d7b9
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1429061
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429061 Sample: jp.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 jp.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-10-06 00:49:03 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=maw3z5aarrmflawv4xk4rxnrsmx55yd2cqyi5hf7sn4qj4y56h3q._file
Verdict:
malicious
Similar samples:
602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240420-npep7sff26/
Unpacked files
SH256 hash:
602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7
MD5 hash:
1938a3545517650824657fd09ce4ee16
SHA1 hash:
25a3bb6c1d11fac492825178e5a4ca7c5a8c4910
Detections:
HKTL_Imphashes_Aug22_1
Create hunting rule
Link:
https://www.unpac.me/results/ce83edde-58e6-43c2-b3df-ffb7459a941f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:HKTL_Imphashes_Aug22_1
Create hunting rule
Author:Florian Roth
Description:Detects different hacktools based on their imphash
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://cert.gov.ua/article/6278706

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CopySid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::RevertToSelf
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcServerRegisterAuthInfoW
RPCRT4.dll::RpcServerUseProtseqEpW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::ImpersonateLoggedOnUser
ADVAPI32.dll::PrivilegeCheck
ADVAPI32.dll::SetTokenInformation
SS_APIUses SS APISecur32.dll::AcceptSecurityContext
Secur32.dll::QuerySecurityContextToken
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithTokenW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueW
ADVAPI32.dll::RegOpenKeyExW

Comments