MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fffd5fb4107407ecc42df03dec6cc20d164b651879ac0a77455e07d9fc001a6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	fffd5fb4107407ecc42df03dec6cc20d164b651879ac0a77455e07d9fc001a6d
SHA3-384 hash:	f5a99c69032f666a038d3a325ab28e59f3d95836ecebf858af2c9b9489f690be8289dd7314f667a3a3fb1ece85cfe6bb
SHA1 hash:	3f8cd60724ea2fbd12a553323d3673bb0266d0e5
MD5 hash:	4695b0fa8891abfaaafcb135dc00c7a6
humanhash:	iowa-johnny-mexico-foxtrot
File name:	fffd5fb4107407ecc42df03dec6cc20d164b651879ac0a77455e07d9fc001a6d
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	1'414'144 bytes
First seen:	2020-09-30 12:14:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	93a138801d9601e4c36e6274c8b9d111 (11 x CobaltStrike, 9 x Snatch, 8 x LaplasClipper)
ssdeep	24576:Fh4WqzrulHkQ3NR+axjhHiCwbo2y1bVY6RyuZAQ3zoO/:rBqzrulT3NsaxVC0u6lKEUG
Threatray	12 similar samples on MalwareBazaar
TLSH	16656B467CE51CBAE9B9F2314CB282A03737B86943327BD31E45557A1A76EC02E3D364
Reporter	JAMESWT_WT
Tags:	185.200.34.175 CobaltStrike Rozena

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/67120/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/478305

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fffd5fb4107407ecc42df03dec6cc20d164b651879ac0a77455e07d9fc001a6d/

Threat name:

Win64.Trojan.Rozena

Status:

Malicious

First seen:

2020-09-24 01:50:00 UTC

File Type:

PE+ (Exe)

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=776v7naqoqd6zrbn6a66y3gcbulewziypgwau52flyd5t7aadjwq._file

Verdict:

unknown

CobaltStrike

1a1d7e78c5ac2f804e01206111e915963cf51f680776ed02a15cb8353e5f7759

CobaltStrike

32b8ffac3250444904e6af3fca1f6408e684f11ad59e6c46887cf44f5de19e6b

CobaltStrike

3b6d04d6b629c1bdab4f15b0aa0d1e7792078b21cf876ec4c630243de1b47ac3

CobaltStrike

67e4e4eb893a2386e782d4d4c7a44eaf70388cad0bb32f30fa3a06e466f583fd

CobaltStrike

7786483b897971c243102c6203d0f19608524cba52136ae5fa71803e74d55825

CobaltStrike

bd50fceeb89d220f6710030d3aacbc2427c5796d9b7f3dee8a362f4e7d4113ef

CobaltStrike

d54b73a94d481ee2917e42ba3d4ea3b70f368bb13cebf5b8824257907ac84ff1

CobaltStrike

e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f

CobaltStrike

ec2f156359e30aaf1929dff8f4b97deba32fe642d7fb8a76ba2346605c2d94d0

CobaltStrike

+ 2 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200930-pl7gcstve2/

Unpacked files

SH256 hash:

fffd5fb4107407ecc42df03dec6cc20d164b651879ac0a77455e07d9fc001a6d

MD5 hash:

4695b0fa8891abfaaafcb135dc00c7a6

SHA1 hash:

3f8cd60724ea2fbd12a553323d3673bb0266d0e5

Link:

https://www.unpac.me/results/9236423d-398b-4fea-860f-977738cee7b1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Rozena

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/fffd5fb4107407ecc42df03dec6cc20d164b651879ac0a77455e07d9fc001a6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/malwrhunterteam/status/1311274742826098693?s=20

Cape

https://www.capesandbox.com/analysis/67120/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample