MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efc8bd338786404ca4dede0c7c1051927dff563e408eaa007d0c320b264b86e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	efc8bd338786404ca4dede0c7c1051927dff563e408eaa007d0c320b264b86e8
SHA3-384 hash:	6c00d6187bf55a8935e50efb6f64a9a2560368246de9ba6f46c66e10dfb4a22a5d207ce7661d63b5033d6dc78d3de034
SHA1 hash:	f03cdcb874f073d03342a6f11cde40dd6b57504c
MD5 hash:	5db692abf569a29ce673e2cdf88b3a82
humanhash:	one-april-missouri-football
File name:	efc8bd338786404ca4dede0c7c1051927dff563e408eaa007d0c320b264b86e8
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	5'119'948 bytes
First seen:	2021-01-28 13:32:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	809ea02d92fea89353f33279290e8c9f (4 x CobaltStrike, 1 x DemonWare, 1 x ValleyRAT)
ssdeep	98304:ZtLJ4X3IT06wWXuycm/iAq4Evt4vA1pYAWBcrKFrSfSnVsiDcnocJK:ZVKWYbycm/iArvCYIeSEs5ock
Threatray	26 similar samples on MalwareBazaar
TLSH	22363386E2616CFBE7F68939DC628046F876781753B8C2DF529491A19FD3B40683EF10
Reporter	JAMESWT_WT
Tags:	47.105.186.146 CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

493

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

efc8bd338786404ca4dede0c7c1051927dff563e408eaa007d0c320b264b86e8

Verdict:

No threats detected

Analysis date:

2021-01-28 13:36:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a44d2e45-389a-4d98-8458-8e1541162ce6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/114230/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.31657.7773.30126.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Connection attempt

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/592879

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/efc8bd338786404ca4dede0c7c1051927dff563e408eaa007d0c320b264b86e8/

Threat name:

Win64.Trojan.Rozena

Status:

Malicious

First seen:

2021-01-22 22:33:56 UTC

File Type:

PE+ (Exe)

Extracted files:

246

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Verdict:

unknown

CobaltStrike

0ee680c945bcd40a5f26f165e043509c9dd99fa0d85a8812aa359477a05e82fc

CobaltStrike

30eb8727af3b8a2f4551574c7d826e9f27480e79d242b92d392b1f64091acf12

CobaltStrike

6084cf861e6b10480c4d05cd3aefb10a92820b191d1a8813154155fa1ca7a88c

CobaltStrike

69cd9793d80b5e5d7f5bf377822dc573c84ef939ede4eedd892fd1b757435bff

CobaltStrike

71bb29dfc07190aeace9d750fcb2e9a66a8abebab3c6d2c40eb0b3ce93e4c36f

CobaltStrike

83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475

CobaltStrike

8d8a8acc157f92723bfbe61fd04220d80d171908ee97231d15fad5b5515a0b2e

CobaltStrike

9cc659b2ca813ac76fd302254522e11352627942aa96a256da9f82ea269e6d94

CobaltStrike

ea1213c0a684662e8305cfe1c6eeebbb12a9d1404e7571438d3730cc1df1caab

CobaltStrike

+ 16 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/210128-3762awx2na/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

JavaScript code in executable

Loads dropped DLL

Unpacked files

SH256 hash:

efc8bd338786404ca4dede0c7c1051927dff563e408eaa007d0c320b264b86e8

MD5 hash:

5db692abf569a29ce673e2cdf88b3a82

SHA1 hash:

f03cdcb874f073d03342a6f11cde40dd6b57504c

Link:

https://www.unpac.me/results/35af19d4-c086-470d-a2ab-839336efa027/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Rozena

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/efc8bd338786404ca4dede0c7c1051927dff563e408eaa007d0c320b264b86e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_File_pyinstaller Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
Description:	Detect PE file produced by pyinstaller
Reference:	https://isc.sans.edu/diary/21057

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	WinPayloads_Payload Create hunting rule
Author:	Florian Roth
Description:	Detects WinPayloads Payload
Reference:	https://github.com/nccgroup/Winpayloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/malwrhunterteam/status/1354749385041711105?s=20

Cape

https://www.capesandbox.com/analysis/114230/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample