MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f648f5aedcc15303407812b041b3101dadad034e2252168943a16155b92eb9bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


YellowCockatoo


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f648f5aedcc15303407812b041b3101dadad034e2252168943a16155b92eb9bc
SHA3-384 hash: 23f27dea4028b22ee8b560dcd9ac158544b343407488e5d826a56a89cefbe54883e9825e37a5b0cc7d21ab58abf9e7f3
SHA1 hash: 181567f88431c084c7144e213afa42c881005a6d
MD5 hash: cb5e5be09e26b5ce7877ef38b1f4c2bd
humanhash: oscar-ink-ohio-fillet
File name:f462x9le25m726u7a2xvllx1p74c1nw3.ps1
Download: download sample
Signature YellowCockatoo
Create hunting rule
File size:875'904 bytes
First seen:2023-01-10 17:20:10 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:q6+/aXTysQwt5F9kEV4UCJq0N7OyKXR3MbB9MZaQ1oCJwRB0niH9S6DZzrWHLFxH:q6MaXPjD4dMyKBcUfE8W9SQvWRxWZc
Threatray 10 similar samples on MalwareBazaar
TLSH T1D0152324EC5BBF92852CD54824D7FC521B1053AE11AEADE791A0C28B417FBD663138BF
Reporter SDotCarter0610
Tags: YellowCockatoo ps1 solarmarker

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.27216.22971.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1148989
Signature
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Powershell creates an autostart link
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 781721 Sample: f462x9le25m726u7a2xvllx1p74... Startdate: 10/01/2023 Architecture: WINDOWS Score: 60 21 Malicious sample detected (through community Yara rule) 2->21 23 Suspicious powershell command line found 2->23 25 Obfuscated command line found 2->25 6 powershell.exe 16 23 2->6         started        11 powershell.exe 18 2->11         started        process3 dnsIp4 19 185.73.202.88, 49695, 49696, 80 COMNET-ASNTR Turkey 6->19 17 C:\Users\user\wyxidaaypih.dvcj1unmrvh, ASCII 6->17 dropped 27 Powershell creates an autostart link 6->27 13 conhost.exe 6->13         started        15 conhost.exe 1 11->15         started        file5 signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f648f5aedcc15303407812b041b3101dadad034e2252168943a16155b92eb9bc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-10 17:21:08 UTC
File Type:
Text (PowerShell)
AV detection:
1 of 41 (2.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zepllw4yfjqgqdyckyedmyqdww22a2oejjbnckdufqvlojoxg6a._file
Verdict:
malicious
Similar samples:
2a6c79f15ae71f22881210d91fd6e3f9dd0720e6797de140bfa5762bfaff3c0e
YellowCockatoo
2b44f71679de3d157bcbdeeac04c0589ae73ea5fbbcebddc3aee19cbe20bbcbb
YellowCockatoo
7ecf41a88b401f08d0382f853327b61322660cb7793d9dd722190e28539c0664
YellowCockatoo
85060968c49db70bfae719efb76e1cdfee4d7929e95d12b0ad8c52585fbcec08
YellowCockatoo
872f44ccb4c39f2da379c082ac4ad5acc06b363374a615929def47c18b0f9642
YellowCockatoo
c9acffef4ac17e5a60764a1e81af586deddf9b27de6a693f501f0a5578de01bb
YellowCockatoo
df0ecc78131aedea3be331f007cf3c6f0575dfdbf51cac37c9db881aae0c2d75
YellowCockatoo
e0f268e1bff8974b728315707386b2b2fe70fa1701047976f0911bc2622e8de0
YellowCockatoo
e6bfa2f7a90b165f4759cd4386e04737f409bfcf06359a1f2de714f14a678a12
YellowCockatoo
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230110-vw1dtace7s/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops startup file
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f648f5aedcc15303407812b041b3101dadad034e2252168943a16155b92eb9bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/search?q=185.73.202.88&src=typed_query

Comments