MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273
SHA3-384 hash: 375df6d81771569dd9976e3c6da12319fba22e5faca712b9e10bde987f5b08933d45de4d79aaa5ebd468e9a40d033a86
SHA1 hash: 8fe4963b245d02aae63cac3c32ad65568db35d6e
MD5 hash: d8875388de11296e6ffa270139be621b
humanhash: thirteen-alaska-idaho-october
File name:89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:311'216 bytes
First seen:2021-05-17 08:17:33 UTC
Last seen:2021-05-17 08:51:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b765acb3440e8d5d9c2a230183cd8632 (1 x CobaltStrike)
ssdeep 1536:puB+hZVWZb79LWNprvwoYMXnqYVpNTuWbPNnnAds+0u/uIPvkMrvXIyj6dcLOgQr:9zVWt7ENpD5XnqYXtuGnysQweqcLzvY
Threatray 827 similar samples on MalwareBazaar
TLSH 9B64C6D76294FC06CA711634009A42EE0539BE7FB74E87172AD5BE396A737A03E4850D
Reporter JAMESWT_WT
Tags:2021945 Ontario Inc. Cobalt Strike signed

Code Signing Certificate

Organisation:2021945 Ontario Inc.
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2017-05-22T06:23:01Z
Valid to:2019-05-22T06:23:01Z
Serial number: 9fac361ee3304079
Thumbprint Algorithm:SHA256
Thumbprint: ae3db45e4b3fe8938fed1a99e0961fda9ed3f48294d3421204020eed9efa9442
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273
Verdict:
No threats detected
Analysis date:
2021-05-17 08:26:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15423d51-43da-4ae5-93e0-b453e5dd360e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157788/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Meterpreter
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/783339
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to check if the process is started with administrator privileges
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Yara detected Meterpreter
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273/
Threat name:
Win64.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2021-05-01 02:46:55 UTC
File Type:
PE+ (Exe)
Extracted files:
17
AV detection:
21 of 47 (44.68%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9
CobaltStrike
21997a8180c9d1add6f4b7eb35d754d9a15acc614cdb5b11078eb5da661d9d3e
CobaltStrike
2af42a2047b16f2dea0038365058a8d8b7f71152117c371ce7f593e47aa785d1
CobaltStrike
4f4037898d619b3b5f1c9fedd3e3940f46d39a57db2cbf9b4d8238d587fd7168
CobaltStrike
593d037e9fd467ebe80cb0ff28d22be2dbc0fdaad4d626ee2ad30707d8ea23da
CobaltStrike
9282d409b92e1ebf58829283933edea243f7ccf3b68456139986c7cb5949522d
CobaltStrike
d5fce47c9f644b0cd9d392a93e30bbfdc9368d06250263a200708da9f80e4048
CobaltStrike
e5fa7e3d66f99d172d3eba7af15276e7eb1958748832b8965b9eedba4cbfc90c
CobaltStrike
f6d89ff139f4169e8a67332a0fd55b6c9beda0b619b1332ddc07d9a860558bab
CobaltStrike
f9a19835601dc81b94557b0452cbde314a8f856e9d6371b825f39b627dba2949
CobaltStrike
+ 817 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210517-a87b8k5qba/
Behaviour
Modifies system certificate store
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Metasploit
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/89aafd2448ea64e2897849668311d6995850a06a3665f70767fd8409e493b273

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157788/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-17 09:02:29 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0030.002] Command and Control::Receive Data
1) [B0030.001] Command and Control::Send Data
2) [C0002.009] Communication Micro-objective::Connect to Server::HTTP Communication
3) [C0002.012] Communication Micro-objective::Create Request::HTTP Communication
4) [C0002.017] Communication Micro-objective::Get Response::HTTP Communication
5) [C0002.003] Communication Micro-objective::Send Request::HTTP Communication
6) [C0052] File System Micro-objective::Writes File
7) [C0007] Memory Micro-objective::Allocate Memory
8) [C0018] Process Micro-objective::Terminate Process