MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a
SHA3-384 hash:	6e2bc1b652419fc23fb8024fdb23f97e8ca8b892dd5388d2dc31f22d465aa1faccdc86515be70c355a9f3e412b3cf427
SHA1 hash:	c012eb2f47685d8c0d78936cd50591f26d15c4d5
MD5 hash:	38ac03e53cdc3c34a0ac359037c5684d
humanhash:	diet-echo-spring-foxtrot
File name:	9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	785'440 bytes
First seen:	2021-04-28 16:07:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	66a06a700210bb6a8139670057f873db (1 x CobaltStrike)
ssdeep	12288:hQ0UCgOeWIPd0EJbsEq3C1BHFq5CKTAKQQu+cfhclnlTjczxYqLnOt313d:hDuYI10clhRouXfhcllPczxYqLnOt13d
Threatray	704 similar samples on MalwareBazaar
TLSH	78F48D76BA00BCB5DC8BC6B494C346015E65BC815739F22F1290EE381D4FA98DABBD47
Reporter	ACKSYNjACKSYN
Tags:	CobaltStrike exe signed

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a

Verdict:

No threats detected

Analysis date:

2021-04-28 16:21:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d0d00ba7-7b28-4a71-8d8b-08eb6f44416a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/145052/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Connection attempt

Sending an HTTP GET request

Sending a UDP request

Unauthorized injection to a system process

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/701035

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a/

Threat name:

Win64.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-03-05 22:16:17 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=set7i4y4wzumabmud4roffag4wlt7f5fj6va5i6yxenrmprxwgna._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882

CobaltStrike

0ec8d01e78f2157589701925ec97ada690046fa17ca65a0db766d96533529aab

CobaltStrike

452363ce4a4695a985d5a6200de2b43692f7e0d4df11f0b30b42fc78a0cc9440

CobaltStrike

84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252

CobaltStrike

8fabea95cbfe1da521dfcd7880ec3301a3a32175741680d8c1a8acacc0199eb7

CobaltStrike

a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11

CobaltStrike

cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c

CobaltStrike

dbafbe9edfdac67a781756a6970a7341fd5401b0914fff7e3e8136cff0426fc5

CobaltStrike

f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d

CobaltStrike

+ 694 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor trojan

Link:

https://tria.ge/reports/210428-fsml5dmzqx/

Behaviour

Suspicious use of WriteProcessMemory

Cobaltstrike

Malware Config

C2 Extraction:

http://vepcdn.microsoft.com:80/lite/static/js/1826.f1c2fa77.chunk.js
http://download.visualstudio.microsoft.com:80/lite/static/js/1826.f1c2fa77.chunk.js

Unpacked files

SH256 hash:

9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a

MD5 hash:

38ac03e53cdc3c34a0ac359037c5684d

SHA1 hash:

c012eb2f47685d8c0d78936cd50591f26d15c4d5

Link:

https://www.unpac.me/results/3aae3710-7345-4365-af57-a48575756180/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	enzo
Description:	Cobalt Strike Beacon Payload

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Cape

https://www.capesandbox.com/analysis/145052/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample