MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a74108f43988425efb369e2a59a5e7d56f74cc6a4af9f50d68a380354020027f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	a74108f43988425efb369e2a59a5e7d56f74cc6a4af9f50d68a380354020027f
SHA3-384 hash:	0de05c3f3553f71c51e52ea333b84f5493bf6c6e77217d93f6343a105409c4468bf4f91643253be1d526e13cf558d06f
SHA1 hash:	e67905203c5027336b8fa04431641d109e0c53e9
MD5 hash:	b550c587c5028aec797cf569ec366f83
humanhash:	quiet-quiet-winner-india
File name:	379435cc19c93.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	6'484'480 bytes
First seen:	2020-10-23 20:22:09 UTC
Last seen:	2020-10-23 20:45:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e4c6ad183a6c705d4cdd8fe2ee73994c (1 x CobaltStrike)
ssdeep	12288:INkjsOM7hEYSW1syEsK7WHKBpmBqMnQH6CM0o/EM/iVUXPwhoV:IN2sAYSW1sTgKycMnQZM0F2iVU/whoV
Threatray	97 similar samples on MalwareBazaar
TLSH	A066CFA1F2E04933D17B26749D5B856858217F246974AC4B2BFA7C4CAF7B3833427287
Reporter	James_inthe_box
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/75140/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34805772.994.28451.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/508468

Signature

Antivirus / Scanner detection for submitted sample

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a74108f43988425efb369e2a59a5e7d56f74cc6a4af9f50d68a380354020027f/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-10-18 01:16:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

3dfb4e7ca12b7176a0cf12edce288b26a970339e6529a0b2dad7114bba0e16c3

CobaltStrike

43bb1caa3132a11a1ada5b96f58868740acf3aeaf35287655ef22bc27ee31532

CobaltStrike

5e81e0f0aa8ff34a845b62472a3d2a83fa43ee47819dbc841d8004b64ffd79fc

CobaltStrike

65b353273d5aa143b6ad5fc5ee4af51930ccef9ea96d07345a619f8950d1132d

CobaltStrike

670d05296e29183d8f292c1fe61003bb8bc608c5ee4916c68996b4f64e587622

CobaltStrike

8bb24503e3418b4e1879c450818a21da05f7f3a54da7939b3f1733b45c9bb029

CobaltStrike

cc1c9ca031eea8c1521bf4bf6f83df1bfb2d14828dc10b5eeec0a69b0192891b

CobaltStrike

e571cd3a4c0744cb3c5443b868577adced331a7545fcb6e2ed0efbe7506a2f9b

CobaltStrike

f241b9ad9deb20f65e777ea5349b27ca5c70e74c1ca7d82413bcf0b03b8054c8

CobaltStrike

+ 87 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

trojan backdoor family:cobaltstrike

Link:

https://tria.ge/reports/201023-blhtb78p6s/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Blacklisted process makes network request

Cobaltstrike

Malware Config

C2 Extraction:

http://binbong.net:443/maps/overlaybfpr

Unpacked files

SH256 hash:

a74108f43988425efb369e2a59a5e7d56f74cc6a4af9f50d68a380354020027f

MD5 hash:

b550c587c5028aec797cf569ec366f83

SHA1 hash:

e67905203c5027336b8fa04431641d109e0c53e9

Link:

https://www.unpac.me/results/9691f958-7268-4831-bd9a-a4919251e337/

SH256 hash:

5c7ed92a59a55c0a468bf5d923531bb8724dc7ef34eb2d3046d9be5013016553

MD5 hash:

9ae0799561738791c57851267fc4807b

SHA1 hash:

793e6d0651f807e26a70cc03bed663cce187dc79

Link:

https://www.unpac.me/results/9691f958-7268-4831-bd9a-a4919251e337/

SH256 hash:

8cec568c3e5bc08850b39263e43c9dea7f605428299a3b55f31f6f7f69dfdbf5

MD5 hash:

621d246f78a13d9ec7e952dd8212b2b8

SHA1 hash:

8a6fe18bdf6b303046bab415c506a6208baad30e

Link:

https://www.unpac.me/results/9691f958-7268-4831-bd9a-a4919251e337/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a74108f43988425efb369e2a59a5e7d56f74cc6a4af9f50d68a380354020027f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/75140/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample