MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e6a236f66273f314961b8b6731fe76df76d0a900b3561dcf85447ef73041d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	b1e6a236f66273f314961b8b6731fe76df76d0a900b3561dcf85447ef73041d4
SHA3-384 hash:	26df16f304f7b008ef9c0e307b16a491dd5610339bb096ee2727ae18315792b740da8dc65718bd64f232239bc966c652
SHA1 hash:	fcb6ced0887e755a28bbf78d10077895ebcf213e
MD5 hash:	2c6ff9a336df1f2b620769c91fd7b0f6
humanhash:	sweet-social-cola-carpet
File name:	b1e6a236f66273f314961b8b6731fe76df76d0a900b3561dcf85447ef73041d4
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	257'024 bytes
First seen:	2021-04-02 11:23:29 UTC
Last seen:	2021-04-02 12:05:33 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	bf159b76bae19ceeadd5c187bca20577 (1 x CobaltStrike)
ssdeep	6144:vSgMQTEIMv+87yiLipOVji8V6MVJqun9VobN4vAOzqgj2m:7MQTEDv+8LPG8Dqun9Vo5eEi2m
Threatray	255 similar samples on MalwareBazaar
TLSH	E8448E4074C1C872D8BE16300539DBB6467DFD214B78C9EBA7D91E7E4F312C19632AAA
Reporter	JAMESWT_WT
Tags:	151.236.14.53 CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

461

Origin country :

n/a

Vendor Threat Intelligence

Detection:

CobaltStrike

Link:

https://www.capesandbox.com/analysis/131705/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.45748235.11031.5413.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

CobaltStrike Metasploit

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/663760

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected CobaltStrike

Yara detected Metasploit Payload

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1e6a236f66273f314961b8b6731fe76df76d0a900b3561dcf85447ef73041d4/

Threat name:

Win32.Infostealer.Snojan

Status:

Malicious

First seen:

2021-01-20 06:58:57 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

22 of 48 (45.83%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762

CobaltStrike

8af8a2aa6d8db7a9bf93620814017b5296713963b74aba38eb7a35e62dcb7d3e

CobaltStrike

8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081

CobaltStrike

9b27a5018742f9fd6d6c1f94e56215b64eaf0b263e43b82feec02ceeab208398

CobaltStrike

af3f3371e861b0d5225069256c8561217a2f3ecd5dde0554e2856e4e15222bd5

CobaltStrike

ba1e40a772acdd71dc1e47b4f9ab2767868fd959f072a55c00da383a590c160f

CobaltStrike

bf476d0296be27e3b75b2cad6330839d0f294b094a6d0d50b4cf62010fb17244

CobaltStrike

cc2c6d177b60a3ec0aec1d38ba1f7942293ac85e688182f545720a952b511a97

CobaltStrike

d963d9065339a7172882cb7ad0d3125f4f56aad05fe6fd05a12d7b3feb1d4f80

CobaltStrike

+ 245 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:cobaltstrike family:metasploit backdoor trojan

Link:

https://tria.ge/reports/210402-w96xeaft36/

Behaviour

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Cobaltstrike

MetaSploit

Malware Config

C2 Extraction:

http://151.236.14.53:443/KXAx
http://151.236.14.53:443/load

Unpacked files

SH256 hash:

b1e6a236f66273f314961b8b6731fe76df76d0a900b3561dcf85447ef73041d4

MD5 hash:

2c6ff9a336df1f2b620769c91fd7b0f6

SHA1 hash:

fcb6ced0887e755a28bbf78d10077895ebcf213e

Link:

https://www.unpac.me/results/92e02e37-b122-4d95-9a88-a039a3a4b065/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Swrort

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1e6a236f66273f314961b8b6731fe76df76d0a900b3561dcf85447ef73041d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/131705/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample