MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f45e5f160a6de454d1db21b599843637103506545183a30053d03b609f92bbdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f45e5f160a6de454d1db21b599843637103506545183a30053d03b609f92bbdc
SHA3-384 hash: 1f7d686e3eb74a063a49461639e5005bc2c23d55b10cfb280eb6ce8e584ecc16da4ce446a58663b4e781de1fb887dc53
SHA1 hash: 22a4ff201f2f43be05fe9daf47494b4d212f8570
MD5 hash: e7d538a5b589f6c9bd32f46254ca6ad7
humanhash: don-mango-apart-potato
File name:f45e5f160a6de454d1db21b599843637103506545183a30053d03b609f92bbdc
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:867'248 bytes
First seen:2021-12-06 22:21:12 UTC
Last seen:2021-12-07 11:41:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b7a56b6a18e2e0885452c3bbddd2255a (1 x CobaltStrike)
ssdeep 24576:yKPvBE85/2yEoLnnhbk9iL7UIGCiGlIzF3DfTPz:yerxG9iL7gzF3DfTb
Threatray 13 similar samples on MalwareBazaar
TLSH T18D056B40EFC24DE7DDB1053555EB9676AA32A60A3B12C7C3E3883531B9117D22AB71EC
Reporter Anonymous
Tags:CobaltStrike exe MACHINES SATU MARE SRL signed

Code Signing Certificate

Organisation:MACHINES SATU MARE SRL
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-05-27T00:00:00Z
Valid to:2022-05-27T23:59:59Z
Serial number: 5fbf16a33d26390a15f046c310030cf0
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 2dd9f7184668e5ae623df2da34f529629725f1751d788cb909b3f4f8840ed803
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
697
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f45e5f160a6de454d1db21b599843637103506545183a30053d03b609f92bbdc
Verdict:
Suspicious activity
Analysis date:
2021-12-06 22:28:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ecfd814-e151-4a9b-8942-a2b87114d8ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211950/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1153/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61ae8d0e4d8e6f3a5e156ccf/reports/0e036fda-de4c-4e1c-b2dc-694f426bdf09/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Meterpreter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2605ab0-f6d2-4c32-a56b-ddb06510a24a
Result
Threat name:
Meterpreter ReflectiveLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/902701
Signature
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Yara detected Meterpreter
Yara detected ReflectiveLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f45e5f160a6de454d1db21b599843637103506545183a30053d03b609f92bbdc/
Threat name:
Win32.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 22:22:15 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
CobaltStrike
534b9bc8809ae37a2beada5b9d868bda1c17c32be812ec3b30de2ad2382014a0
CobaltStrike
83b1180e8794a4d719586d4f5fe237b37167ef93c186d3c0976a70d39541c72f
CobaltStrike
9d88e62b7da45ea1be4c02dec30b6a31b53d42c31d1785f4a992e55c0147d825
CobaltStrike
b38335142ba340beae4fcb0018d8c6747cc2e019e5aa73de2e98336d7d505f4d
CobaltStrike
c37b9479b2968218e9019296f1069b7ef6cc65abeb2b48cb34ac682a2c8c736e
CobaltStrike
+ 3 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/211206-198v1aaca3/
Behaviour
Modifies system certificate store
Downloads MZ/PE file
Cobaltstrike
Unpacked files
SH256 hash:
f45e5f160a6de454d1db21b599843637103506545183a30053d03b609f92bbdc
MD5 hash:
e7d538a5b589f6c9bd32f46254ca6ad7
SHA1 hash:
22a4ff201f2f43be05fe9daf47494b4d212f8570
Link:
https://www.unpac.me/results/8eb6a1bc-0f78-44e7-b8db-33815902e622/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f45e5f160a6de454d1db21b599843637103506545183a30053d03b609f92bbdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211950/

Comments