MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5724f81b8cc1a9a3330cb22020e393c854471f605b422b99a2fd5dda3d32cf80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	5724f81b8cc1a9a3330cb22020e393c854471f605b422b99a2fd5dda3d32cf80
SHA3-384 hash:	18343e915307fd5b182a742caf9005c4c24f6d9ce7a03f3e60cc63619e57773c13db3865f732419ac8a30bccfda04c3d
SHA1 hash:	649a665f457896ea357180c21cac3b31ce00fe1e
MD5 hash:	c084191cb374ab79235fefbdcefe65cf
humanhash:	sweet-double-sink-neptune
File name:	wct2CEBA.msi
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	1'117'184 bytes
First seen:	2021-05-26 13:07:06 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	24576:f/19mdUCFFAfOY9t+jtGvKOm7yiNrYvLQbJKuCn7C+0RRBcu/m:n6UCFFAfOat+HyixI9nOMu/m
Threatray	280 similar samples on MalwareBazaar
TLSH	33357C65E653C5F1F96715F0040BFBFBB9309A098431CD2FEA88DE50FBB2D1225A8256
Reporter	JAMESWT_WT
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

1

# of downloads :

482

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/162414/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.4010.29340.UNOFFICIAL

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/5724f81b8cc1a9a3330cb22020e393c854471f605b422b99a2fd5dda3d32cf80

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5724f81b8cc1a9a3330cb22020e393c854471f605b422b99a2fd5dda3d32cf80/

Threat name:

Win32.Trojan.Shelma

Status:

Malicious

First seen:

2021-05-26 13:06:12 UTC

File Type:

Binary (Archive)

Extracted files:

15

AV detection:

7 of 46 (15.22%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

057d811888e41fca0d05d8f27f0f761651ff379a207ce67774e5f75253efc236

0e30a27d44484b9baa56e7b6050581e3edc3bd1b426057c85824d0cac493a3f1

35b6d770bb5d9cdf686f07226c67de969c21648af598ee58036383a606802327

4598fc224cd68101ae1aa21a42dea35d204c8c00469d39fd4ce09b05c48eee0a

65d5e3d6f233a393e6c4d11fa947f733f3109e005cc1f957abe2ab8d78dc6002

6afab1df3de00b1200198e692eae6dc36373c310cf4102ecacc5c6e8ff89a7e8

af3f3371e861b0d5225069256c8561217a2f3ecd5dde0554e2856e4e15222bd5

d963d9065339a7172882cb7ad0d3125f4f56aad05fe6fd05a12d7b3feb1d4f80

e844577efbd9d78da8849997491807f1f9d3ae7d7f010363e2c25c6de2687eba

f4ca63aeb4e3246c5d923942497d650bc3920c9fbc78a330ecf9d7db67e0cb8f

+ 270 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1973233653 backdoor trojan

Link:

https://tria.ge/reports/210526-d9mx15w1xa/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Cobaltstrike

Malware Config

C2 Extraction:

http://kayak.it:443/v1/profile

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/5724f81b8cc1a9a3330cb22020e393c854471f605b422b99a2fd5dda3d32cf80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/162414/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample