MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919
SHA3-384 hash:	c3c288bc9ab574f402972219216fa765d6987b1c0349e087a19038772e82a883f341a1bdf46a109e7d9b7c91d07826df
SHA1 hash:	9d6cec79f2456eb7f1f277223f691dab49755473
MD5 hash:	9e7780944f795a5e4c5fb6a1cf23c5e9
humanhash:	foxtrot-georgia-sodium-blossom
File name:	123.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	24'040 bytes
First seen:	2020-10-21 12:16:56 UTC
Last seen:	2020-10-21 13:00:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c72b6cc3836b5e0f23343ef1c8e12156 (1 x CobaltStrike)
ssdeep	384:RD8sl9R1qutx0mtOjqiXg4GPWJeq4ud3yVeGUwHXPjdHbhYqiWLOi0ThWsE6GfZ3:RFl9R1qKxztEDhGPkbyevI7lbFLOiYSp
Threatray	31 similar samples on MalwareBazaar
TLSH	CCB2C00E156650CAC1074C3382E794B68B7672EBB7F1648F765E80730FC7B88965B83A
Reporter	JAMESWT_WT
Tags:	CobaltStrike Katarzyna Galganek mim e coc

Code Signing Certificate

Organisation:	Katarzyna Galganek mim e coc
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Feb 28 00:00:00 2020 GMT
Valid to:	Feb 27 23:59:59 2021 GMT
Serial number:	2A52ACB34BD075AC9F58771D2A4BBFBA
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	C839065A159BEC7E63BFDCB1794889829853C07F7A931666F4EB84103302C1C9
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

3

# of downloads :

93

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/74123/

Detection(s):

SecuriteInfo.com.BackDoor.Meterpreter.157.5554.30582.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Connection attempt

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/505803

Signature

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919/

Threat name:

Win64.Trojan.Wacatac

Status:

Suspicious

First seen:

2020-10-20 21:05:59 UTC

File Type:

PE+ (Exe)

Extracted files:

2

AV detection:

22 of 48 (45.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=umxdplqi22tshx7xge6znpd6ep7jw7nrqkk6felphsjvkmbstemq._file

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

05815c1e6e37cf16bb24c456836069a7709df19505708d26f503ff46360001ba

080ef9f0362e415d3292125aa97d460f0499b6bec9596e2e580aef1fd7576e07

87dca59ec3d55bcb1b05da564e5ce0a164ab633f1c46a18a97f72a30efff7388

9a7d2b2c96ee9b7b0ddc1665988d935a719f04cdb2b2dd331ec36aa4f6597506

a1d9d1784959597859b70af8479ecb3a5eb577be1bcf10dc2b57fd7beb3ba874

c380f48e3d649b6a44b05134108a8c79536f289240e9ed9135e35dadffb6c350

e99cc027c77bed5c1414225e39093bde66c654a9adfcca9cb3ddafa266410aea

ec2f156359e30aaf1929dff8f4b97deba32fe642d7fb8a76ba2346605c2d94d0

f4d129a8289b89a4a8d385d89702bae3c7b5fcf9d32c3b1eee61bc0245bfb99a

f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f

+ 21 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201021-kj7z5j7hs2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919

MD5 hash:

9e7780944f795a5e4c5fb6a1cf23c5e9

SHA1 hash:

9d6cec79f2456eb7f1f277223f691dab49755473

Link:

https://www.unpac.me/results/7122cfcb-a0db-46a9-bd29-51eae1f42be9/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/74123/

URLhaus

https://urlhaus.abuse.ch/url/729134/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample