MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 607d94ef7add6e89f96f2e364362a41f472475380f840c1d8369d195f6e4df2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 607d94ef7add6e89f96f2e364362a41f472475380f840c1d8369d195f6e4df2b
SHA3-384 hash: e5c76eca1236bbc6042e534bc733b25b1ebe8de949701f1ca0d367cc443e4750155f915676700648e5bfb93b514dd5b8
SHA1 hash: f1e9aa80162d01fa679b8fb48c587a2b3e6f354d
MD5 hash: bc8dbd37e3c4c2f2ea15711d06513bda
humanhash: chicken-berlin-purple-fix
File name:262908e6c3a9ace86eeee6d494c00718
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:222'208 bytes
First seen:2020-11-17 12:39:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep 3072:GjEaiS4kpMWY/pNqODIdMdvB5r5ng75/fiUsKsrYT7svp6gQr+9QM45xQs:fp/bqaIyBsNPW8EvslrU43Q
Threatray 203 similar samples on MalwareBazaar
TLSH EB24DF3D6EB72CB9FEFB397087519E69DFE0A51771ED18220972544B264220CAC623F4
Reporter seifreed
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Connection attempt
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/607d94ef7add6e89f96f2e364362a41f472475380f840c1d8369d195f6e4df2b/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 12:44:27 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mb6zj3323vxit6lpfy3egyved5dsi5jyb6cayhmdnhizl5xe34vq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
25c30b1001d3799a98ca05248300a94ef66ee506f7d38531098b412be5820c69
CobaltStrike
335e572bc05edfc16104eeb309937af925ca20882382ac50ff65607822b49131
CobaltStrike
36f68f4836362d94e2f0e25720c26bb9bc60a4bc9533e94d3c164814269e476e
CobaltStrike
4c66b4e15fe5162db358fdac31aaa32a59d5e80d9885e7d8a7806ac7f7f91a60
CobaltStrike
558ec2b4c735574edc8757f11592735eb27aa61693885b5aa7299c7950faf1c0
CobaltStrike
834a2c6c37316fdb6598576f4d1626a91c0629e3f9484a8e3c041070ed5d5112
CobaltStrike
8f7b9a377a14260d8bdcc6e18e749013a0c2c09a60d46fa026d77f6d92b7b801
CobaltStrike
c184e1d4519fb81baae09c0ff7f0cc8e2c0a32a44228b3e816f8156ca8034061
CobaltStrike
e4ca37b939f9ca60aab3b68d49169ee93e46548b76dfb31eeb43d4161fd3dc1a
CobaltStrike
f53fc8ee1359db4a8a7ec51d9fa82c5aa2b9e9c462c7d83151c853dda815c628
CobaltStrike
+ 193 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/201117-e924byyy2a/
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://mn.service1updater.com:443/as
http://nm.service1updater.com:443/as
http://rf.service1updater.com:443/as
Unpacked files
SH256 hash:
607d94ef7add6e89f96f2e364362a41f472475380f840c1d8369d195f6e4df2b
MD5 hash:
bc8dbd37e3c4c2f2ea15711d06513bda
SHA1 hash:
f1e9aa80162d01fa679b8fb48c587a2b3e6f354d
Link:
https://www.unpac.me/results/3b058e79-6d00-4e41-9e51-393e70928a22/
SH256 hash:
f678ab37f78fe2ae6447f496672a18374b628e2abbe55960b3f64a0a60f4ef21
MD5 hash:
54fe4f889acd440acc0462b16ce5f52c
SHA1 hash:
191445aadf651ecf46dc4b0bb8b340ff4c4ce98c
Link:
https://www.unpac.me/results/3b058e79-6d00-4e41-9e51-393e70928a22/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DarkHydrus_Jul18_5
Create hunting rule
Author:Florian Roth
Description:Detects strings found in malware samples in APT report in DarkHydrus
Reference:https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments