MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b
SHA3-384 hash: 4f1f1e6e8bfe476419a18be23b912bcebb5631bf96a04ab811b78178e7ca2f7eb19a62d6d50a3b8728af80c823b8f044
SHA1 hash: ef9477be4488dbd52e165c4c1936b454647e23d2
MD5 hash: fc0bc692d4d678a8df9d7f7cde8b9293
humanhash: sink-pip-spaghetti-freddie
File name:8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'975'296 bytes
First seen:2020-11-13 16:04:27 UTC
Last seen:2024-07-24 18:47:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:Jwd2G0hJWaU7B45k1/3cRC/RFQqk2PreDF26m0g:mD0hJL5k1/MROLk2Pq
Threatray 187 similar samples on MalwareBazaar
TLSH 1A95F02273DDC371CB6A9173BB29B7013E7B38654670B85B2F980DBCA950171562CBA3
Reporter seifreed
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Autoit-9790147-0
Create hunting rule

Win.Trojan.Autoit-9790232-0
Create hunting rule

Win.Trojan.Autoit-9790239-0
Create hunting rule

Win.Trojan.Autoit-9790240-0
Create hunting rule

Win.Trojan.Autoit-9790242-0
Create hunting rule

Win.Trojan.Autoit-9790245-0
Create hunting rule

Win.Trojan.Autoit-9790251-0
Create hunting rule

Win.Trojan.Autoit-9790262-0
Create hunting rule

Win.Trojan.Autoit-9790267-0
Create hunting rule

Win.Trojan.Autoit-9790695-0
Create hunting rule

Win.Trojan.Nanocore-9789919-1
Create hunting rule

Win.Trojan.Autoit-9791035-0
Create hunting rule

Win.Trojan.Autoit-9792227-0
Create hunting rule

PUA.Win.Tool.Nymeria-9645007-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Creating a file in the %temp% directory
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the User Account Control
Changing the Windows explorer settings
Setting a prohibition to launch some applications
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Adding exclusions to Windows Defender
Enabling a "Do not show hidden files" option
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534630
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Task List ballon tips (likely to surpress security warnings)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Hides user accounts
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316416 Sample: 2rYTU7Mzo9 Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 7 other signatures 2->45 7 2rYTU7Mzo9.exe 32 20 2->7         started        12 taskhostw.exe 2->12         started        process3 dnsIp4 37 iplogger.org 88.99.66.31, 443, 49718 HETZNER-ASDE Germany 7->37 29 C:\ProgramData\install\taskhosta.exe, PE32 7->29 dropped 31 C:\ProgramData\RealtekHD\taskhostw.exe, PE32 7->31 dropped 47 Hides user accounts 7->47 49 Disable Task List ballon tips (likely to surpress security warnings) 7->49 51 Changes the view of files in windows explorer (hidden files and folders) 7->51 53 2 other signatures 7->53 14 taskhosta.exe 7->14         started        17 taskhostw.exe 7->17         started        20 cmd.exe 1 7->20         started        file5 signatures6 process7 dnsIp8 55 Antivirus detection for dropped file 14->55 57 Multi AV Scanner detection for dropped file 14->57 59 Detected unpacking (changes PE section rights) 14->59 61 5 other signatures 14->61 22 taskhosta.exe 6 14->22         started        33 31.44.184.108, 21, 49720 PINDC-ASRU Russian Federation 17->33 25 conhost.exe 20->25         started        27 sc.exe 1 20->27         started        signatures9 process10 dnsIp11 35 31.44.184.48, 49717, 49719, 49721 PINDC-ASRU Russian Federation 22->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b/
Threat name:
Win32.Trojan.BetaBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 16:16:54 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
1ac354c01e2acdecef6b871f3eee4fe919487b2ca740471fefce8dd3273dde87
CobaltStrike
2d797a098d2c0e164f5bfe29e3ae282f873709270f05950a3dc76d65f1acf47c
CobaltStrike
53f90f56eddfb8953d72e1d20dde2b97d40021318fd32bf30710d24eeb4c4a30
CobaltStrike
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0
CobaltStrike
8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081
CobaltStrike
a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78
CobaltStrike
ad42170cf53ef7e0ea91196fedd5f8ae7665e207f9de002c63562f4b1db57717
CobaltStrike
b568a4ca18fce49b465d0db8697640d556f579932db0315398a810140c66f0db
CobaltStrike
d0c88b0ca2a78ef90470498fa686ad63e3473a4fc1337b2850461ecc07bd5b34
CobaltStrike
d1a71b6a8691f72eb133570b9e90e8de061a652a35e3b4039d0875bbc0f76f1c
CobaltStrike
+ 177 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor evasion persistence trojan
Link:
https://tria.ge/reports/201113-q9e1esscqs/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
System policy modification
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Loads dropped DLL
Blocks application from running via registry modification
Executes dropped EXE
Stops running service(s)
MetaSploit
Modifies Windows Defender Real-time Protection settings
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Malware Config
C2 Extraction:
http://31.44.184.48:80/tv99
Unpacked files
SH256 hash:
8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b
MD5 hash:
fc0bc692d4d678a8df9d7f7cde8b9293
SHA1 hash:
ef9477be4488dbd52e165c4c1936b454647e23d2
Link:
https://www.unpac.me/results/7ba047dc-405d-4452-8616-9465b3e92dad/
SH256 hash:
24587d696491c5e1d3fa5a590079bc7a66e0c9ec8c5e84207f1630da84bdbaf1
MD5 hash:
7cee347d37ee58b80acc67b38dc4f11d
SHA1 hash:
4a615c9a5a52236737de53114a4a87779076de46
Link:
https://www.unpac.me/results/7ba047dc-405d-4452-8616-9465b3e92dad/
SH256 hash:
a06f587540370423d7e29e20e7389df485009f362c36a56d3f91e118f9d2a2e6
MD5 hash:
88b9d48bfdeebf40d4ce99d13700a873
SHA1 hash:
59999754faf709a82a37b6d6ff1051c4afcae708
Link:
https://www.unpac.me/results/7ba047dc-405d-4452-8616-9465b3e92dad/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments