MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5daf37825cdc2b41a078b9a4b73c62700c2a6e41ae7d696b3fa644310109c253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	5daf37825cdc2b41a078b9a4b73c62700c2a6e41ae7d696b3fa644310109c253
SHA3-384 hash:	5028b58bb9b13d6451b378ea41bc42b1a7b7c1c44074f87c6393813bf874a415b4e17684ad9be5354450ee68e9fd21fb
SHA1 hash:	973383e9513347d0cbf223b15532001988e5b034
MD5 hash:	379435cc19c931e2b19d7470649ffc35
humanhash:	pasta-helium-table-lake
File name:	AnyDesk.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	732'160 bytes
First seen:	2020-10-23 20:14:29 UTC
Last seen:	2020-10-23 20:45:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8e07f2f657f81e7a6383bb37b9875427 (1 x CobaltStrike)
ssdeep	12288:SVVd8Umx+REJsBElsJYmVg0mqtPNUmu+vAQwIDNcxEJ:SVVd8UuRlsJH2QPSmu+IQdDNcxQ
Threatray	97 similar samples on MalwareBazaar
TLSH	4BF4F1D1F3044AD6ED790271C86B8C0426167E7DD5E09E2E12AFB956B4F33A3106BA4F
Reporter	James_inthe_box
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/75139/

Detection(s):

PUA.Win.Packer.Upx-4

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/508462

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject threads in other processes

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5daf37825cdc2b41a078b9a4b73c62700c2a6e41ae7d696b3fa644310109c253/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2020-10-13 23:43:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

1fa49ff58cdc8aded5a0f36c0fc10e68ec7b6dc2f6fa6a8a93e0ceedaf47d524

CobaltStrike

4d8232c8973ec2c528be5f380b9f027a7221023e2b2e774403a8839385b2e197

CobaltStrike

514de96ef99941a0c9712622848b687b402b0635a4bb45cf1cee0002fe8cdfcd

CobaltStrike

8668a50a557e2b402d105cd44953bcb7f2a854b34ed6fa89daabe706f809ce32

CobaltStrike

8bb24503e3418b4e1879c450818a21da05f7f3a54da7939b3f1733b45c9bb029

CobaltStrike

a74108f43988425efb369e2a59a5e7d56f74cc6a4af9f50d68a380354020027f

CobaltStrike

c786e4de11e64be8d4118cf8ba6b210e3396e3bb579f3afd4bf528c35bab4a6b

CobaltStrike

e05f6dab54210a041235191663afd7f296c4733e42d9f09b971a9861bf317df8

CobaltStrike

f56775b2bc86a692982b0013e1d3ed5445db708ebbb0e70001b9e6df1dfbd193

CobaltStrike

+ 87 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

trojan backdoor family:cobaltstrike

Link:

https://tria.ge/reports/201023-flyjcqlsv2/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blacklisted process makes network request

Cobaltstrike

Malware Config

C2 Extraction:

http://binbong.net:443/maps/overlaybfpr

Unpacked files

SH256 hash:

5daf37825cdc2b41a078b9a4b73c62700c2a6e41ae7d696b3fa644310109c253

MD5 hash:

379435cc19c931e2b19d7470649ffc35

SHA1 hash:

973383e9513347d0cbf223b15532001988e5b034

Link:

https://www.unpac.me/results/87b52b7a-472a-4a77-8581-b0c62b252f1d/

SH256 hash:

26323ce9fa53e2f97f8115e3a4889cab74b30d9c49df2b5dc510a9825f726d70

MD5 hash:

0d8634ad3494fbe6244fb6ca35b669e0

SHA1 hash:

6a7ddf4d238b496d0244d8b2fd4aa383b1e25fe2

Link:

https://www.unpac.me/results/87b52b7a-472a-4a77-8581-b0c62b252f1d/

SH256 hash:

8cec568c3e5bc08850b39263e43c9dea7f605428299a3b55f31f6f7f69dfdbf5

MD5 hash:

621d246f78a13d9ec7e952dd8212b2b8

SHA1 hash:

8a6fe18bdf6b303046bab415c506a6208baad30e

Link:

https://www.unpac.me/results/87b52b7a-472a-4a77-8581-b0c62b252f1d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

CozyDuke

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5daf37825cdc2b41a078b9a4b73c62700c2a6e41ae7d696b3fa644310109c253

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/75139/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample