MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffd30ecdca3de5df82a5276690a913716be15d156cbc344b49866750d219717a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cosmu


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffd30ecdca3de5df82a5276690a913716be15d156cbc344b49866750d219717a
SHA3-384 hash: 3314e3115b0a90dbbd0bf2bc75629d8801909737aa800daeb68a1628d458d0ec1ec75088cb58bc5893706854d15310f7
SHA1 hash: 8cc49dfc397275860db70eb0eb3919ce73a81f33
MD5 hash: fd79653ea05146961b1b08f533c69a43
humanhash: carpet-eleven-july-east
File name:bigcos.exe
Download: download sample
Signature Cosmu
Create hunting rule
File size:6'783'082 bytes
First seen:2022-02-20 07:22:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8abecba2211e61763c4c9ffcaa13369e (172 x Cosmu, 1 x Zombie, 1 x CobaltStrike)
ssdeep 196608:NCzNA7rlvRz1rrFBV6tpjuj6gYPKHCKsy:NjUtYj6gYPYz
Threatray 3 similar samples on MalwareBazaar
TLSH T130666C44BFE44C26E17B6AF245FD02500E7DFD47AB20D24F2D8021AA7D32B58DE6176A
Reporter adm1n_usa32
Tags:Cosmu exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bigcos.exe
Verdict:
No threats detected
Analysis date:
2022-02-20 07:21:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e19ff4ae-b4ec-4bfa-a897-c3ce7a3aba16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242748/
Detection(s):
Win.Malware.Generickdz-9938530-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.NWorm.UNOFFICIAL
Create hunting rule

Win.Trojan.Cosmu-1058
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Creating a process from a recently created file
Moving a recently created file
Сreating synchronization primitives
Modifying an executable file
Replacing files
Unauthorized injection to a recently created process
Infecting executable files
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6753/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cosmu
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0554bb35-7896-4c4d-ac62-5e295943399b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/942764
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files in the recycle bin to hide itself
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffd30ecdca3de5df82a5276690a913716be15d156cbc344b49866750d219717a/
Threat name:
Win32.Spyware.Zombie
Create hunting rule
Status:
Malicious
First seen:
2022-02-05 16:57:00 UTC
File Type:
PE (Exe)
Extracted files:
317
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0a53a78b2728beb7f8fb17135bd7c013aca9d7a2ec73d8c81542d7dfcad8bead
Cosmu
7e26a05d10a275416faae5ab2721604bf485683e7ba2263627df7686e233da46
Cosmu
c147611e7b8819ecbf4f4130d4000c7e01c1219b95ef9d89b11f802fbb6a46b1
Cosmu
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220220-h7tn7abahn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
23fbd1ee66fce6872e97b2fe84c409ab30a74fe8720b722bc6f8bae6e7764c04
MD5 hash:
5ca71cbff5a8de7e5e30b6e94cd42069
SHA1 hash:
991701a32492d743430627cbfbd56d6884c32588
Link:
https://www.unpac.me/results/38093fe7-d1d0-4e7e-8ce1-bcb39ed1b7e1/
SH256 hash:
ffd30ecdca3de5df82a5276690a913716be15d156cbc344b49866750d219717a
MD5 hash:
fd79653ea05146961b1b08f533c69a43
SHA1 hash:
8cc49dfc397275860db70eb0eb3919ce73a81f33
Link:
https://www.unpac.me/results/38093fe7-d1d0-4e7e-8ce1-bcb39ed1b7e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffd30ecdca3de5df82a5276690a913716be15d156cbc344b49866750d219717a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242748/

Comments