MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca4f64a4b97c079e3835b30d39b8d0ed3dec2994f98e11c3aeb6b3130a00903b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca4f64a4b97c079e3835b30d39b8d0ed3dec2994f98e11c3aeb6b3130a00903b
SHA3-384 hash: 0d2f39103847014df30d5798c57bc1d1ec525ffefe28e2f0e797847e1aaa656ee9b36bf71fa0d7331dc888d991cb3f2b
SHA1 hash: 7725a4e7a7f34a66d6351d0bb113790174508855
MD5 hash: 481390c5e5ee00b9933822f478b2cbfe
humanhash: bluebird-avocado-sixteen-bluebird
File name:ca4f64a4b97c079e3835b30d39b8d0ed3dec2994f98e11c3aeb6b3130a00903b.exe
Download: download sample
Signature Hive
Create hunting rule
File size:1'480'608 bytes
First seen:2022-06-19 08:30:40 UTC
Last seen:2022-06-19 09:46:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 37 x Vidar)
ssdeep 24576:/O6DbrL3zverb/TpvO90dL3BmAFd4A64nsfJXp2Rp7gpMbJVzfbWBD1vJn:2cb33berb/TpvO90dL3BmAFd4A64nsfp
Threatray 152 similar samples on MalwareBazaar
TLSH T1C6653903788140B5D2AA92318A6592A9E730BC4D0F3323D7BB50BFB92F767D45EB5358
gimphash 8be75728ef8a5e9b91bf8b2c31ffae75f282abd50cb5e4fe993bea610efcb5ef
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 24e4c8d0f0c8d4d4 (15 x AgentTesla, 7 x RemcosRAT, 6 x Formbook)
Reporter obfusor
Tags:CobaltStrike exe Hive

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281220/
Detection(s):
SecuriteInfo.com.Trojan.Win64.Shelma.4c.10437.29258.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
DNS request
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Moving of the original file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21898/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
golang overlay packed
Link:
https://www.filescan.io/uploads/62aedf04b7a5f5720e29fb71/reports/985a42a9-e792-4f8f-9d8c-4604b59249d7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7cb7ab3-4a71-4f56-944c-c0ff66cce9f7
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1015814
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648310 Sample: hWviG6HUdK.exe Startdate: 19/06/2022 Architecture: WINDOWS Score: 88 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 2 other signatures 2->43 8 hWviG6HUdK.exe 2 2->8         started        process3 file4 27 C:\ProgramData\z1.exe, PE32+ 8->27 dropped 45 Potentially malicious time measurement code found 8->45 12 z1.exe 7 8->12         started        16 cmd.exe 3 2 8->16         started        signatures5 process6 dnsIp7 31 service-59v6fwm9-1307868367.sh.apigw.tencentcs.com 12->31 33 13-5.sh.apigwtencent.com 106.54.143.113, 443, 49765, 49771 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 12->33 35 2 other IPs or domains 12->35 47 Multi AV Scanner detection for dropped file 12->47 18 conhost.exe 12->18         started        20 AcroRd32.exe 15 37 16->20         started        22 conhost.exe 16->22         started        signatures8 process9 process10 24 RdrCEF.exe 73 20->24         started        dnsIp11 29 192.168.2.1 unknown unknown 24->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca4f64a4b97c079e3835b30d39b8d0ed3dec2994f98e11c3aeb6b3130a00903b/
Threat name:
Win64.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 10:32:02 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjhwjjfzpqdz4obvwmgttogq5u66ykmu7ghbdq5ow2zrgcqasa5q._file
Verdict:
unknown
Similar samples:
0787ae2c43d3a8d3f69ab3d69692f789e0b4fa27b276e072ca44a82074477e34
Hive
29d2f9308947efac0c804497666e1f03d61bc9321fdb498152a5d481d1e61a35
Hive
356ed801fd17886006472a332bba1126976a4a14dbf378d59a01904fcea64b18
Hive
9148bcf1957c9dc89339b577fc122c8d947cafc09b275c95361dc6b4150eeaa1
Hive
a945fd22e8f7272ce950721138fedb657dcfdd8447620a840c17688e3f9e0561
Hive
d94d4ffe996eab88f6583a75791e95a81508a25eab9608b397755e2051960acd
Hive
f273edc1367f3b4031946254ff4f2d32c2c82f6a7aabbeab86153d5728e0766e
Hive
+ 142 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 botnet:1580103824 backdoor suricata trojan
Link:
https://tria.ge/reports/220619-kep7eadfek/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Cobaltstrike
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
Malware Config
C2 Extraction:
http://service-59v6fwm9-1307868367.sh.apigw.tencentcs.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
ca4f64a4b97c079e3835b30d39b8d0ed3dec2994f98e11c3aeb6b3130a00903b
MD5 hash:
481390c5e5ee00b9933822f478b2cbfe
SHA1 hash:
7725a4e7a7f34a66d6351d0bb113790174508855
Link:
https://www.unpac.me/results/0b540b15-821c-442b-88b7-45892a8ab9b5/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca4f64a4b97c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.06
Link:
https://yomi.yoroi.company/submissions/ca4f64a4b97c079e3835b30d39b8d0ed3dec2994f98e11c3aeb6b3130a00903b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281220/

Comments