Task Information
Task ID: fd4ce1ad-f226-11f0-9df4-42010aa4000b File name: 2f231624a528a8361f844f41019ddbb3 Task parameters: ClamAV scan: True Unpack: False Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
YARA Results
The following YARA rules matched on the file (static analysis).
Rule name: Beacon_K5om
Author: Florian Roth (Nextron Systems) Description: Detects Meterpreter Beacon - file K5om.dll Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html TLP: TLP:WHITE Repository: Neo23x0
Rule name: Beacon_K5om_RID2B14
Author: Florian Roth Description: Detects Meterpreter Beacon - file K5om.dll Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html TLP: TLP:WHITE
Rule name: CobaltStrike
Author: JPCERT/CC Incident Response Group Description: detect CobaltStrike Beacon in memory Reference: https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html TLP: TLP:WHITE Repository: JPCERTCC
Rule name: CobaltStrike_Resources_Beacon_Dll_v3_8
Author: gssincla@google.com Description: Cobalt Strike's resources/beacon.dll Versions 3.8 Reference: https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse TLP: TLP:WHITE Repository: Neo23x0
Rule name: CobaltStrike_Resources_Dnsstager_Bin_v1_47_through_v4_x
Author: gssincla@google.com Description: Cobalt Strike's resources/dnsstager.bin signature for versions 1.47 to 4.x Reference: https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse TLP: TLP:WHITE Repository: Neo23x0
Rule name: Cobaltstrike1
Author: Ahmet Payaslioglu | Binalyze DFIR LAB Description: Cobalt Strike Detection TLP: TLP:WHITE Repository: AhmetPayaslioglu
Rule name: Cobaltstrike2
Author: Ahmet Payaslioglu | Binalyze DFIR LAB Description: Cobalt Strike Detection TLP: TLP:WHITE Repository: AhmetPayaslioglu
Rule name: Cobaltstrike3
Author: Ahmet Payaslioglu | Binalyze DFIR LAB Description: Cobalt Strike Detection TLP: TLP:WHITE Repository: AhmetPayaslioglu
Rule name: CobaltStrikeBeacon
Author: ditekshen, enzo & Elastic Description: Cobalt Strike Beacon Payload TLP: TLP:WHITE Repository: CAPE
Rule name: CP_Script_Inject_Detector
Author: DiegoAnalytics Description: Detects attempts to inject code into another process across PE, ELF, Mach-O binaries TLP: TLP:WHITE Repository: YARAify
Rule name: crime_win32_csbeacon_1
Author: @VK_Intel Description: Detects Cobalt Strike loader Reference: https://twitter.com/VK_Intel/status/1239632822358474753 TLP: TLP:WHITE Repository: k-vitali
Rule name: DebuggerCheck__API
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara TLP: TLP:WHITE
Rule name: detect_powershell
Author: daniyyell Description: Detects suspicious PowerShell activity related to malware execution TLP: TLP:WHITE Repository: YARAify
Rule name: Detect_PowerShell_Obfuscation
Author: daniyyell Description: Detects obfuscated PowerShell commands commonly used in malicious scripts. TLP: TLP:WHITE Repository: YARAify
Rule name: FreddyBearDropper
Author: Dwarozh Hoshiar Description: Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. TLP: TLP:WHITE Repository: YARAify
Rule name: HKTL_CobaltStrike_Beacon_Strings
Author: Elastic Description: Identifies strings used in Cobalt Strike Beacon DLL Reference: https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Meterpreter_inMemory
Author: netbiosX, Florian Roth Description: Detects Meterpreter in-memory Reference: https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ TLP: TLP:WHITE Repository: Neo23x0
Rule name: HKTL_Win_CobaltStrike
Author: threatintel@volexity.com Description: The CobaltStrike malware family. Reference: https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ TLP: TLP:WHITE
Rule name: Leviathan_CobaltStrike_Sample_1
Author: Florian Roth (Nextron Systems) Description: Detects Cobalt Strike sample from Leviathan report Reference: https://goo.gl/MZ7dRg TLP: TLP:WHITE Repository: Neo23x0
Rule name: MALW_cobaltrike
Author: Felix Bilstein - yara-signator at cocacoding dot com Description: Rule to detect CobaltStrike beacon Reference: https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike TLP: TLP:WHITE Repository: advanced-threat-research
Rule name: malware_CobaltStrike_v3v4
Author: JPCERT/CC Incident Response Group Description: detect CobaltStrike Beacon in memory Reference: https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html TLP: TLP:WHITE Repository: JPCERTCC
Rule name: Malware_QA_vqgk
Author: Florian Roth (Nextron Systems) Description: VT Research QA uploaded malware - file vqgk.dll Reference: VT Research QA TLP: TLP:WHITE Repository: Neo23x0
Rule name: classified Description: classified
Rule name: ReflectiveLoader
Author: Florian Roth (Nextron Systems) Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended Reference: Internal Research TLP: TLP:WHITE Repository: Neo23x0
Rule name: Sus_CMD_Powershell_Usage
Author: XiAnzheng Description: May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) TLP: TLP:WHITE Repository: YARAify
Rule name: SUSP_XORed_Mozilla_Oct19
Author: Florian Roth Description: Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. Reference: https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force() TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_XORed_Mozilla_RID2DB4
Author: Florian Roth Description: Detects suspicious XORed keyword - Mozilla/5.0 Reference: Internal Research TLP: TLP:WHITE
Rule name: ThreadControl__Context
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara TLP: TLP:WHITE
Rule name: troj_win_cobaltstrike_memoryinject
Author: Jeff White (karttoon@gmail.com) @noottrak Description: Detects Cobalt Strike payload typically loaded into memory via PowerShell. TLP: TLP:WHITE Repository: karttoon
Rule name: WiltedTulip_ReflectiveLoader
Author: Florian Roth (Nextron Systems) Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Reference: http://www.clearskysec.com/tulip TLP: TLP:WHITE Repository: Neo23x0
Rule name: classified Author: classified TLP TLP:AMBER
Rule name: win_cobalt_strike_auto
Author: Felix Bilstein - yara-signator at cocacoding dot com Description: Detects win.cobalt_strike. TLP: TLP:WHITE Repository: Malpedia
Rule name: win_samsam_auto
Author: Felix Bilstein - yara-signator at cocacoding dot com Description: autogenerated rule brought to you by yara-signator TLP: TLP:WHITE Repository: Malpedia
Rule name: Windows_Trojan_Metasploit_38b8ceec
Author: Elastic Security Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Metasploit_c9773203
Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Reference: https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm TLP: TLP:WHITE Repository: elastic
Rule name: Windows_Trojan_Metasploit_c9773203
Author: Elastic Security Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Reference: https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm TLP: TLP:WHITE Repository: elastic
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter