MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60755909e216dc65f11b7b49ae73ad3e08cb1c5e4255916ea195dbd896f3ae73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60755909e216dc65f11b7b49ae73ad3e08cb1c5e4255916ea195dbd896f3ae73
SHA3-384 hash: 7d9d80ec8263e0a4eb9c97324449186df5428190eebb59469e31b405383a9a839798490f35a7c979bf42925637b97f0c
SHA1 hash: 93ece83cede579b15d050128c06a8a37177b2531
MD5 hash: b0da3557135a0589c4010cd5771879e6
humanhash: arizona-music-jersey-mobile
File name:SecuriteInfo.com.BackDoor.Meterpreter.166.16275.32643
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:310'288 bytes
First seen:2020-12-23 22:33:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef0bbad044408a92ad997ca3c7e2572c (2 x CobaltStrike)
ssdeep 6144:SzR9DeHLSkavRMWEIkkYO8HZCnohLc8Vn1Yh:SzR9DiSkDPIxYXHGoGth
Threatray 654 similar samples on MalwareBazaar
TLSH 5F646B5DB29414F8EDA3827CCC465546E63278060772CAFF03A182677F276E4AD3BB61
Reporter SecuriteInfoCom
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'341
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BackDoor.Meterpreter.166.16275.32643
Verdict:
No threats detected
Analysis date:
2020-12-23 22:35:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d139096-9e3f-43b3-952a-1a7f51f622d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109242/
Detection(s):
SecuriteInfo.com.BackDoor.Meterpreter.166.16275.32643.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
8
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/569479
Signature
Allocates memory in foreign processes
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60755909e216dc65f11b7b49ae73ad3e08cb1c5e4255916ea195dbd896f3ae73/
Threat name:
Win64.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 14:57:04 UTC
AV detection:
18 of 48 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mb2vscpcc3ogl4i3pne2445nhyemwhc6ijkzc3vbsxn5rfxtvzzq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
02efd5f4d8dedabeab8e75f3e49a8fdb05c28dfd39bc1e5c96e8213fe3212e9f
CobaltStrike
080ef9f0362e415d3292125aa97d460f0499b6bec9596e2e580aef1fd7576e07
CobaltStrike
49f80e9afca6ccd55838cd0e16639d51ed5db3d751f36ba7d79ea0678b50da6a
CobaltStrike
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e
CobaltStrike
9282d409b92e1ebf58829283933edea243f7ccf3b68456139986c7cb5949522d
CobaltStrike
9ddc9ee2af5c7f4c792ea3b4887828ea5bf494c2591f4de09de456b94f142e7a
CobaltStrike
ce83f302a60301e222c23e67a7525106d610c6231c23d747ad4263669c1c88c7
CobaltStrike
e99cc027c77bed5c1414225e39093bde66c654a9adfcca9cb3ddafa266410aea
CobaltStrike
f74f5eb8416d9522e703877e104ac7923cc3efeedaa1138b6221726b0d359096
CobaltStrike
f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f
CobaltStrike
+ 644 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201223-9jqjxaz3gn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
60755909e216dc65f11b7b49ae73ad3e08cb1c5e4255916ea195dbd896f3ae73
MD5 hash:
b0da3557135a0589c4010cd5771879e6
SHA1 hash:
93ece83cede579b15d050128c06a8a37177b2531
Link:
https://www.unpac.me/results/a4d0bfe1-e47e-4de3-a651-5a1a52c58e6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Metasploit
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/60755909e216dc65f11b7b49ae73ad3e08cb1c5e4255916ea195dbd896f3ae73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:MALW_cobaltrike
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect CobaltStrike beacon
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 60755909e216dc65f11b7b49ae73ad3e08cb1c5e4255916ea195dbd896f3ae73

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/109242/
  
URLhaus
https://urlhaus.abuse.ch/url/941186/
  
Delivery method
Distributed via web download

Comments