MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832
SHA3-384 hash:	5f825f42c5fb1853560d9b7f4cd77e2a1740f50d223a3709e6a8a18f800cd85b24d87a165d3f7fad22c256a6f8082e70
SHA1 hash:	d502044bc497218ed2e23b2c4c840ed266ee6b48
MD5 hash:	332244904c04fbff8e9d881767e5bbe9
humanhash:	autumn-nebraska-quiet-quebec
File name:	ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832.bin
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	327'376 bytes
First seen:	2020-12-16 08:38:38 UTC
Last seen:	2020-12-16 10:49:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cc9fe1d008892c82637c18e7a10198d7 (1 x CobaltStrike)
ssdeep	6144:tPvGV/il4hgkXtNNMLPLmKxMLb9yVohrEZ7JT:tGV/ilogojMTLlc9SoYT
Threatray	144 similar samples on MalwareBazaar
TLSH	01647C59B3A918F8ED67C13C88568946E772B8060731C7EF03A446672F277E05E3EB61
Reporter	JAMESWT_WT
Tags:	CobaltStrike ORGLE DVORSAK d.o.o signed

Code Signing Certificate

Organisation:	AAA Certificate Services
Issuer:	AAA Certificate Services
Algorithm:	sha1WithRSAEncryption
Valid from:	Jan 1 00:00:00 2004 GMT
Valid to:	Dec 31 23:59:59 2028 GMT
Serial number:	01
Intelligence:	369 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

548

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832.bin

Verdict:

Malicious activity

Analysis date:

2020-12-16 08:42:25 UTC

Tags:

trojan cobaltstrike

Link:

https://app.any.run/tasks/29cfb8d8-8ea7-4e4c-8129-da93357b249f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108283/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP GET request

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/563990

Signature

Contains functionality to detect sleep reduction / modifications

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832/

Threat name:

Win64.Trojan.Shelma

Status:

Malicious

First seen:

2020-12-13 06:03:49 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zjfuwabdt4lg4bhtstrzptuz25astsqzc64pswusxddsfsmzdaza._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

8b681d031297cba8158e0d245cc422f2c59151ec1c7639056c1d9c75f377c792

CobaltStrike

a1d9d1784959597859b70af8479ecb3a5eb577be1bcf10dc2b57fd7beb3ba874

CobaltStrike

a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919

CobaltStrike

c380f48e3d649b6a44b05134108a8c79536f289240e9ed9135e35dadffb6c350

CobaltStrike

d2eee2fa771e54c1a44cfc4d40eef50be4776a25987b72633f7b91faf2302092

CobaltStrike

dddf1d1b2b58721f04fe1eb77804d02fb5fc14deca7d8b4f6a9ce3c55644090e

CobaltStrike

e2aba4ac95ff3b89b59c43aa28d8df2e4875d4931dc81eab57f8ada4625ea712

CobaltStrike

ec2f156359e30aaf1929dff8f4b97deba32fe642d7fb8a76ba2346605c2d94d0

CobaltStrike

f4d129a8289b89a4a8d385d89702bae3c7b5fcf9d32c3b1eee61bc0245bfb99a

CobaltStrike

+ 134 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201216-5hrvr9kgg6/

Unpacked files

SH256 hash:

ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832

MD5 hash:

332244904c04fbff8e9d881767e5bbe9

SHA1 hash:

d502044bc497218ed2e23b2c4c840ed266ee6b48

Link:

https://www.unpac.me/results/cf40a029-e498-4fd0-8620-17132e595ea9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

WanaCrypt0r

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/108283/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample