MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 060f47ff732e52dad19d6f2803617491cf640f845d828846b481184427e379a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 060f47ff732e52dad19d6f2803617491cf640f845d828846b481184427e379a9
SHA3-384 hash: 5d676f3b2ffbba9293f270257237c77a82a05d6c19db17dfb62393e4998cd2046b7c66df339ba8d760e9de2a11ca7795
SHA1 hash: 94c6da3ee9df407bc726a1fb74d8c01e38a7a338
MD5 hash: 29f8337b837344051033c29d8bb1687d
humanhash: indigo-mirror-delaware-louisiana
File name:sample.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:530'300 bytes
First seen:2021-04-19 06:49:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:5hqxSLo5C1Ps4XhitX+t498zyqhokptepS00LyuP/1FZebfRUwpVU:5HLmCiIhiX0yOprCuDZebfRUn
Threatray 884 similar samples on MalwareBazaar
TLSH 3EB4E102B9C19472D4321A326939AB206D7D7C201F24CADFA3F8656DDF315D1A635BB3
Reporter Anonymous
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
1
# of downloads :
621
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sample.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-19 06:51:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f673604e-fa0e-4ef1-8ea0-5fd1c3531bf8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/138275/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/686276
Signature
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/060f47ff732e52dad19d6f2803617491cf640f845d828846b481184427e379a9/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ayhup73tfzjnvum5n4uagylushhwid4elwbiqrvuqemeij7dpguq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
CobaltStrike
1202173f3ce4f49947f8e6554991a320c7a6e5faced43bec6a3bd051d13f7666
CobaltStrike
41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51
CobaltStrike
4c25202298f76f1598a1e169ca435b80541e1db59c542f55e1eb8e3cbf76a419
CobaltStrike
6624ce134dd16a37d6615483002f24b74c74c55b45259bc5408b7ae804d0fe22
CobaltStrike
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
CobaltStrike
91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
CobaltStrike
99612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
CobaltStrike
a144d424d0ace63551d67ee67efe8ff6242df2b5c55d8f2494e0731f2d88f711
CobaltStrike
da58d100900745d6a15113e8b8cb5c2a3252a3c4a063ccc64fd09cc75cfb21ff
CobaltStrike
+ 874 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210419-hchqebjxza/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/060f47ff732e52dad19d6f2803617491cf640f845d828846b481184427e379a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/138275/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-19 07:04:01 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
1) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
2) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
6) [F0004.007] Defense Evasion::Bypass Windows File Protection
8) [C0046] File System Micro-objective::Create Directory
9) [C0048] File System Micro-objective::Delete Directory
10) [C0047] File System Micro-objective::Delete File
11) [C0049] File System Micro-objective::Get File Attributes
12) [C0051] File System Micro-objective::Read File
13) [C0050] File System Micro-objective::Set File Attributes
14) [C0052] File System Micro-objective::Writes File
15) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
18) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
19) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
20) [C0040] Process Micro-objective::Allocate Thread Local Storage
21) [C0017] Process Micro-objective::Create Process
22) [C0038] Process Micro-objective::Create Thread
23) [C0041] Process Micro-objective::Set Thread Local Storage Value
24) [C0018] Process Micro-objective::Terminate Process