MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6220127ada00d84b58d718152748cd2c62007b1de92201701dc2968d2b00e31f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6220127ada00d84b58d718152748cd2c62007b1de92201701dc2968d2b00e31f
SHA3-384 hash: 82f02267eed5e388af801cd8a721ff2f7a2bc5b267d62ac2622da484471a2aefe66baae118f48f3dc0b3b6fdfc18618b
SHA1 hash: 5323e4bfbfab456fe5d1b87b087df70878ade12b
MD5 hash: 74b457e0ed2252df87678c69907a8a24
humanhash: india-aspen-sad-beer
File name:6220127ada00d84b58d718152748cd2c62007b1de92201701dc2968d2b00e31f
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:281'600 bytes
First seen:2021-03-20 05:04:27 UTC
Last seen:2021-04-28 16:07:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 568839388b24ae4abce14a8d1d27ca56 (2 x CobaltStrike)
ssdeep 6144:K1BpxRvBVO1bDuuVDUV7FNPxpt2PV4p4Ggg2R1eAOb14fRjmPx0:K7hADuuVDUBvxpAPVm2Rkt1DPx0
Threatray 231 similar samples on MalwareBazaar
TLSH 7F549E0275C0C073D56311335968D7768A3EB9100F658AEBA3D4D93ECF742D19B3ABAA
Reporter JAMESWT_WT
Tags:CobaltStrike signed Toko Saya ApS

Code Signing Certificate

Organisation:Toko Saya ApS
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-12-29T00:00:00Z
Valid to:2021-12-29T23:59:59Z
Serial number: 7dcd19a94535f034ee36af4676740633
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 10b178e1b2dbe6796802077f78c67a3447c714ea6cedb35a4ca3574e63ab2440
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
604
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6220127ada00d84b58d718152748cd2c62007b1de92201701dc2968d2b00e31f
Verdict:
No threats detected
Analysis date:
2021-03-20 05:07:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf4d8446-2846-4237-a4fc-7a21dd165e9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125746/
Detection(s):
SecuriteInfo.com.BackDoor.Meterpreter.119.14604.22678.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e5c06e5-e4d7-4393-9b46-11e305e22497
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/646739
Signature
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372337 Sample: uTiMDmhax3 Startdate: 20/03/2021 Architecture: WINDOWS Score: 52 11 Multi AV Scanner detection for submitted file 2->11 6 uTiMDmhax3.exe 1 2->6         started        process3 signatures4 13 Contains functionality to detect sleep reduction / modifications 6->13 9 conhost.exe 6->9         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6220127ada00d84b58d718152748cd2c62007b1de92201701dc2968d2b00e31f/
Threat name:
Win32.Backdoor.Bazarloader
Create hunting rule
Status:
Malicious
First seen:
2021-03-18 14:00:57 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 47 (40.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
1fa49ff58cdc8aded5a0f36c0fc10e68ec7b6dc2f6fa6a8a93e0ceedaf47d524
CobaltStrike
4f6af6104eb118ee193f1b77124dfcdfbef04af6ae6e55c8e37f2f68e9d526eb
CobaltStrike
57a395267a680f4909efd096007d6ec86254502ae1c33a70733f0ccef85c4791
CobaltStrike
5daf37825cdc2b41a078b9a4b73c62700c2a6e41ae7d696b3fa644310109c253
CobaltStrike
862b7166544610864ea1bbab5e5d53d2416fbdc5edae901dcd94286863b9a538
CobaltStrike
88994559075aee6d9f508bfe1649de460a7fc098d7cf50b93415b64790e50787
CobaltStrike
8bb24503e3418b4e1879c450818a21da05f7f3a54da7939b3f1733b45c9bb029
CobaltStrike
a74108f43988425efb369e2a59a5e7d56f74cc6a4af9f50d68a380354020027f
CobaltStrike
cc1c9ca031eea8c1521bf4bf6f83df1bfb2d14828dc10b5eeec0a69b0192891b
CobaltStrike
d62ddb44e4baf975b4e843e679781a9ffdb631c978d86550d4ad78a94ef549f1
CobaltStrike
+ 221 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:metasploit backdoor trojan
Link:
https://tria.ge/reports/210320-a6qef6rx1e/
Behaviour
Modifies system certificate store
Cobaltstrike
MetaSploit
Malware Config
C2 Extraction:
http://njerseysports.com:443/jquery-3.3.1.slim.min.js
http://njerseysports.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
6220127ada00d84b58d718152748cd2c62007b1de92201701dc2968d2b00e31f
MD5 hash:
74b457e0ed2252df87678c69907a8a24
SHA1 hash:
5323e4bfbfab456fe5d1b87b087df70878ade12b
Link:
https://www.unpac.me/results/b07d1fa9-2047-47d7-8cbe-e8cdc557b851/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6220127ada00d84b58d718152748cd2c62007b1de92201701dc2968d2b00e31f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1372894842024562688?s=20
Cape
Cape
https://www.capesandbox.com/analysis/125746/

Comments