MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f
SHA3-384 hash:	1e438fe2d6ba69038668f62f82681415f63e41186ca53d0e282b0fb8296fc758438fc175a96a8808df0271b30ad7cfd0
SHA1 hash:	98d4e1c4ae2e19da51f4543cb2cff51a4a7f2b3e
MD5 hash:	60772f2f4ba787c019ff29dc9c747381
humanhash:	seven-wisconsin-magnesium-emma
File name:	LawyerCustomerComplaint.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	687'600 bytes
First seen:	2021-02-11 15:48:18 UTC
Last seen:	2021-02-11 18:10:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dfe046db0f9814c859815e3c3c9c5d13 (1 x CobaltStrike)
ssdeep	6144:LDiGKOUtcJxijdZ1GjI4rblxxIyyWur76QWinVm2juNJ7G0zcKD0nd:6GKOQcJUFGjI4gWurnW5y0zcKqd
Threatray	212 similar samples on MalwareBazaar
TLSH	0EE41610F2514AB6CBE2427738CE662ED6E6985C0EB749DBDA543E1C1B723D42DF920C
Reporter	Anonymous
Tags:	CobaltStrike exe signed

Code Signing Certificate

Organisation:	MANILA Solution as
Issuer:	Certum Extended Validation Code Signing CA SHA2
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-12-31T12:34:03Z
Valid to:	2021-12-31T12:34:03Z
Serial number:	64c2505c7306639fc8eae544b0305338
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	08f74dce30d09f60dac6e824a712f0f27d81bf65c249a3d112b563e725c407bb
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

503

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

LawyerCustomerComplaint.exe

Verdict:

Suspicious activity

Analysis date:

2021-02-11 15:51:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b1277892-503c-4c5f-9a92-1ccce8138796

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/116846/

Detection(s):

SecuriteInfo.com.Generic.mg.60772f2f4ba787c0.30846.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Changing a file

Sending a UDP request

DNS request

Sending a custom TCP request

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/606004

Signature

Malicious sample detected (through community Yara rule)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-02-11 15:52:45 UTC

File Type:

PE (Exe)

Extracted files:

108

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p6so6wjf643uve2jjol2nk2dwckrylkqjfzlx5b7tuuttdsvjapq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

4c66b4e15fe5162db358fdac31aaa32a59d5e80d9885e7d8a7806ac7f7f91a60

CobaltStrike

53f90f56eddfb8953d72e1d20dde2b97d40021318fd32bf30710d24eeb4c4a30

CobaltStrike

6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762

CobaltStrike

834a2c6c37316fdb6598576f4d1626a91c0629e3f9484a8e3c041070ed5d5112

CobaltStrike

89953e46e46ae3328a4739bb8af245c17cdb5b64543ceba6eded682d37f4c94c

CobaltStrike

8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b

CobaltStrike

8db9f9962e7ce0a1ce6754c08eb0d8a4921cd3c790f0099c6c31fc8c87754ee8

CobaltStrike

c0386bd703de36d4e365a80451c76f2bacead193c4593f8f0390298d7b7a614b

CobaltStrike

cc2c6d177b60a3ec0aec1d38ba1f7942293ac85e688182f545720a952b511a97

CobaltStrike

+ 202 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

dave

Link:

https://tria.ge/reports/210211-epse3jscqs/

Behaviour

Suspicious use of SetWindowsHookEx

Dave packer

Unpacked files

SH256 hash:

6b6d8c1f460343c63eea1f31837a4f04c84f1a569ad9f942184936fbbc1b7424

MD5 hash:

06d9a1fda88a74e36c28ddc4ada04474

SHA1 hash:

d75311570e2faf7abd5fa1a4dbcf3e9360e4e07b

Link:

https://www.unpac.me/results/d2f14b3c-97c0-4d94-b63e-6ee191a07f08/

SH256 hash:

ebc9df7d137078fa5b3af35282e06cb219cd7889564beecba0dea64c4b0f9226

MD5 hash:

faa0e04a341178d6fb5684ae04df5cba

SHA1 hash:

a3e14156dc2e6360b8b7b19741e3a1449f770fac

Link:

https://www.unpac.me/results/d2f14b3c-97c0-4d94-b63e-6ee191a07f08/

SH256 hash:

7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f

MD5 hash:

60772f2f4ba787c019ff29dc9c747381

SHA1 hash:

98d4e1c4ae2e19da51f4543cb2cff51a4a7f2b3e

Link:

https://www.unpac.me/results/d2f14b3c-97c0-4d94-b63e-6ee191a07f08/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7fa4ef5925f7374a93494b97a6ab43b0951c2d504972bbf43f9d29398e55481f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/116846/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample