MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a392f53396b31d45a8f8af623090a4e3065750cf725781000436c34b0e5683ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	a392f53396b31d45a8f8af623090a4e3065750cf725781000436c34b0e5683ea
SHA3-384 hash:	7851a9411af503ab396bd2fece2f62ea316a622466c695797de1e35faca014770c28aa1037dd107d288c42ca0176decf
SHA1 hash:	9430daaa4f9d5abde3a5ea89b2f8cf8f768c90b3
MD5 hash:	a32ab091f9890c19730396aee7d94541
humanhash:	mike-lion-jig-minnesota
File name:	a392f53396b31d45a8f8af623090a4e3065750cf725781000436c34b0e5683ea.bin
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	26'192 bytes
First seen:	2021-11-17 08:02:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	17b461a082950fc6332228572138b80c (121 x CobaltStrike, 2 x Cobalt Strike)
ssdeep	384:PDMAoKz6WtKEj7aBDi+bxbAYsIYiDze7o5xHRKhhu:LsKLjuu+m0YiD02xKhE
Threatray	88 similar samples on MalwareBazaar
TLSH	T1BDC26C7FA6411CD5C92BC134B8D46732FDB2B16342AA879F267CC3306F10A6516BD52D
Reporter	JAMESWT_WT
Tags:	CobaltStrike exe Nanjing Xingkong Education Consulting Co. Ltd.

Intelligence

File Origin

# of uploads :

1

# of downloads :

561

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

a392f53396b31d45a8f8af623090a4e3065750cf725781000436c34b0e5683ea.bin

Verdict:

No threats detected

Analysis date:

2021-11-17 08:05:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4ac82d6c-9149-49ae-8bf9-8eb058128060

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

Win.Trojan.CobaltStrike-9044898-1

Win.Trojan.CobaltStrike-7899871-1

Win.Countermeasure.LoaderWinGeneric-9804845-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug cobalt exploit overlay packed

Link:

https://www.filescan.io/uploads/6194b73843e8f62b6696aa03/reports/ca51e480-8f7d-4532-a15d-4c62312d2b27/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/595d37e8-8253-40e8-ace4-1e8a6e126164

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/891000

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: CobaltStrike Named Pipe

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a392f53396b31d45a8f8af623090a4e3065750cf725781000436c34b0e5683ea/

Threat name:

Win64.Backdoor.CobaltStrike

Status:

Malicious

First seen:

2021-11-16 08:51:00 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

055672abeb2d5018279ea2ad039bfa752c1f8333c065e3830ba61b17a65f3731

2949aec1094a9ecaaef168ef50885e49226bb9b46e8c015b74bc98772ac340e6

2c75fcb1983a87e786ec745a20df2f2e508c294da40e956e0c46786005120a6c

339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502

5531524151fcf7af36ff08c7f4a1b00c2c8cd409c64ce0bc2fe022973ba16c0a

673d8268fd21825ca5f21d8b395cdcede7009b60e540cb36c46f5794626faefb

7bc0fdc6b2caf2175c49bfbf735c70e462424aa45cf5d193bd8788eddac08c8c

9a7d2b2c96ee9b7b0ddc1665988d935a719f04cdb2b2dd331ec36aa4f6597506

a8979ed3ebb02513d366e126a8f5e2830f7590207dc30bb936fb0ddfe4bd543b

+ 78 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan

Link:

https://tria.ge/reports/211117-jxpg6ahgc2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Cobaltstrike

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://185.82.217.3:1234/a6db

Unpacked files

SH256 hash:

a392f53396b31d45a8f8af623090a4e3065750cf725781000436c34b0e5683ea

MD5 hash:

a32ab091f9890c19730396aee7d94541

SHA1 hash:

9430daaa4f9d5abde3a5ea89b2f8cf8f768c90b3

Link:

https://www.unpac.me/results/4f80649a-fb85-4a60-b57a-57a0c0824fbf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a392f53396b31d45a8f8af623090a4e3065750cf725781000436c34b0e5683ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/206722/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample