Task Information
Task ID: 93485c38-1fba-11f1-b47f-42010aa4000b File name: 403d444644a96575d8d603e3c82c469c Task parameters: ClamAV scan: True Unpack: False Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
YARA Results
The following YARA rules matched on the file (static analysis).
Rule name: cobalt_strike_tmp01925d3f
Author: The DFIR Report Description: files - file ~tmp01925d3f.exe Reference: https://thedfirreport.com TLP: TLP:WHITE Repository: YARAify
Rule name: CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6
Author: gssincla@google.com Description: Cobalt Strike's sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6 Reference: https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse TLP: TLP:WHITE Repository: Neo23x0
Rule name: Cobaltstrike3
Author: Ahmet Payaslioglu | Binalyze DFIR LAB Description: Cobalt Strike Detection TLP: TLP:WHITE Repository: AhmetPayaslioglu
Rule name: CobaltStrikeBeacon
Author: ditekshen, enzo & Elastic Description: Cobalt Strike Beacon Payload TLP: TLP:WHITE Repository: CAPE
Rule name: CP_Script_Inject_Detector
Author: DiegoAnalytics Description: Detects attempts to inject code into another process across PE, ELF, Mach-O binaries TLP: TLP:WHITE Repository: YARAify
Rule name: HKTL_CobaltStrike_Beacon_Strings
Author: Elastic Description: Identifies strings used in Cobalt Strike Beacon DLL Reference: https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Win_CobaltStrike
Author: threatintel@volexity.com Description: The CobaltStrike malware family. Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ TLP: TLP:WHITE
Rule name: classified Description: classified
Rule name: ReflectiveLoader
Author: Florian Roth (Nextron Systems) Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_XORed_Mozilla_Oct19
Author: Florian Roth Description: Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. Reference: https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force() TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_XORed_Mozilla_RID2DB4
Author: Florian Roth Description: Detects suspicious XORed keyword - Mozilla/5.0 Reference: Internal Research TLP: TLP:WHITE
Rule name: VECT_Ransomware
Author: Mustafa Bakhit Description: Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments. TLP: TLP:WHITE Repository: YARAify
Rule name: WiltedTulip_ReflectiveLoader
Author: Florian Roth (Nextron Systems) Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE Repository: Neo23x0
Rule name: win_cobalt_strike_auto
Author: Felix Bilstein - yara-signator at cocacoding dot com Description: Detects win.cobalt_strike. TLP: TLP:WHITE Repository: Malpedia
Rule name: Windows_Trojan_Metasploit_c9773203
Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Reference: https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Metasploit_c9773203
Author: Elastic Security Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Reference: https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm TLP: TLP:WHITE Repository: elastic
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter