MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5b39009be422e89c793241831efd12c6827de20a56b71783d4fd80db9409910. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5b39009be422e89c793241831efd12c6827de20a56b71783d4fd80db9409910
SHA3-384 hash: 86c0817c4ed990d03e2dd285730e6d7e796e0f7afc10904dac0a13e1db1e7c8e04d35b04ead5b9740c9b9d3226cbaf8c
SHA1 hash: 6af97623ce61dee9f2d6331eb113e2c16831d00f
MD5 hash: 2680d519097273ace671daf7ac0f9e8d
humanhash: purple-football-lamp-sweet
File name:2680d519097273ace671daf7ac0f9e8d
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:353'448 bytes
First seen:2021-07-01 02:27:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64f1814b769b7e8d7e61f45d0e9f5051 (3 x CobaltStrike)
ssdeep 6144:E19kSaAr3eU3UeDwtNz3Fe8fOV3rK+XLIsq6qUnHgs:69dDb5CVe8WV3rKQqQN
Threatray 320 similar samples on MalwareBazaar
TLSH D174E621EDD19F93C0D74EB51753E78849F98C7A0B05D38B62627A44F0BAAB354C993C
Reporter zbetcheckin
Tags:32 CobaltStrike exe signed

Code Signing Certificate

Organisation:NEJCHFGNUATBMYBQWL
Issuer:NEJCHFGNUATBMYBQWL
Algorithm:sha1WithRSA
Valid from:2021-06-24T08:08:45Z
Valid to:2039-12-31T23:59:59Z
Serial number: -28985911a365ed46be0c4f8ceeb584a4
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f5b63b86cd81298d58a4f997a1bb420257b52ef7c97c40f5d1d234bff05cda4b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TewT2noyd.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 21:32:14 UTC
Tags:
trojan cobaltstrike
Link:
https://app.any.run/tasks/15231942-330b-4be4-8aef-194ae5beb5c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrike
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169030/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.32335.6338.UNOFFICIAL
Create hunting rule

Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eede547d-02b9-4364-9c32-6564677423de
Result
Threat name:
CryptOne CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810295
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected CryptOne packer
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c5b39009be422e89c793241831efd12c6827de20a56b71783d4fd80db9409910/
Threat name:
Win32.Exploit.CVE-1999-0016
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 23:01:02 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0ce6ad36ff912286baa98105cbccab3457b2b0fda0796b51f898b695146c4022
CobaltStrike
37a88c00460beed5e1ba3ff00493934c8f8fb0e692b368691d3856454a905073
CobaltStrike
5b11998f63458e0c8f86b101bfa4c08d4d523417dd4763c65712b73e5258d434
CobaltStrike
b6868bf6126b8450e2863450959b4d8889d96e10e0f472de0d7269b3c8eff4e3
CobaltStrike
c19335daa94f85852468d5dad1fb9cf93bf121aee3eac8203180d88479965d94
CobaltStrike
c4c0bee389392c0677fd977cac9eaa868448c42d8b90281872cdf5b804e0525c
CobaltStrike
cc9a713b0db799bb4be1d74f9ef2d043985218e94d5004e5c42a4996dfb33131
CobaltStrike
d764ee64bc0d769c20c4823f0981ba1bf17e46c38812cd5036f0e2cfadb23b61
CobaltStrike
d859175475c077d7193ce0f1ee703ee4be5dd0804c45da6cbd447b7909c9a09f
CobaltStrike
dbef3369c686529f60b2e1cdf5090f31122f5d6a53e6112eea4078a805e5c455
CobaltStrike
+ 310 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:1359593325 backdoor cryptone packer trojan
Link:
https://tria.ge/reports/210701-5g8gt577f6/
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://160.20.147.250:80/j.ad
Unpacked files
SH256 hash:
9986283a44e58e95d8da5a4182a1f54a008ac91de749eae328b7366e07adfdac
MD5 hash:
154c2221ab702aeb61e0d648105b19fd
SHA1 hash:
2ba95ff3391ec3ea540577422601c98e84c4997f
Link:
https://www.unpac.me/results/b0ba3406-5e0a-48b9-936c-6d9c7658d7b1/
SH256 hash:
b0e67b810e09da41a9986c08710b1aa50414ea29bce658f525c76dc844835c1c
MD5 hash:
bcba28fb4272085c5e3d2844f2f1617e
SHA1 hash:
c2c254c1d8471cb00a3898c0cfae5372d50e4751
Link:
https://www.unpac.me/results/b0ba3406-5e0a-48b9-936c-6d9c7658d7b1/
SH256 hash:
c5b39009be422e89c793241831efd12c6827de20a56b71783d4fd80db9409910
MD5 hash:
2680d519097273ace671daf7ac0f9e8d
SHA1 hash:
6af97623ce61dee9f2d6331eb113e2c16831d00f
Link:
https://www.unpac.me/results/b0ba3406-5e0a-48b9-936c-6d9c7658d7b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/c5b39009be422e89c793241831efd12c6827de20a56b71783d4fd80db9409910

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe c5b39009be422e89c793241831efd12c6827de20a56b71783d4fd80db9409910

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1414869/
Cape
Cape
https://www.capesandbox.com/analysis/169030/

Comments


Avatar
zbet commented on 2021-07-01 02:27:49 UTC

url : hxxps://dasgutes.design/wp-content/plugins/tco-white-label/functions/enqueue/Bo7TjX1L2.php