MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa1621a1171424dfc1671013d1027817d6d8792c1709416754a37abc5ab057fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	fa1621a1171424dfc1671013d1027817d6d8792c1709416754a37abc5ab057fc
SHA3-384 hash:	460578b23fe4c523eeb64094a0f52325bab4379192e46a5fe0eb690233e817055382d64a3a8668a03def07c2d13af8d7
SHA1 hash:	e415c613ea890d2d3cda2b950146bcc85d096d3d
MD5 hash:	8e6f77e892a01981ff7aa81ddb571277
humanhash:	mountain-bluebird-india-kentucky
File name:	fa1621a1171424dfc1671013d1027817d6d8792c1709416754a37abc5ab057fc
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	13'312 bytes
First seen:	2020-08-28 10:43:53 UTC
Last seen:	2020-08-28 11:47:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	192:l11440cTY/4LoQh9D/XF2VmbAhxFEnDnKt+0a+KnxBOd73:X9ThkQh9x2Vlgn2801Knyd7
Threatray	56 similar samples on MalwareBazaar
TLSH	66527D3DCD98423FC2B7C23DC9CB4A03F9919917271DEE4A50D773A65923283B59216D
Reporter	JAMESWT_WT
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

2

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/52306/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader27.39925.13985.12769.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching a process

Creating a process with a hidden window

Creating a file

Creating a window

Connection attempt

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/453443

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Creates a thread in another existing process (thread injection)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa1621a1171424dfc1671013d1027817d6d8792c1709416754a37abc5ab057fc/

Threat name:

ByteCode-MSIL.Trojan.Rozena

Status:

Malicious

First seen:

2020-08-22 15:21:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

1

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ilcdiixcqsn7qlhcaj5catyc7lnq6jmc4eucz2uun5lywvqk76a._file

Verdict:

malicious

Similar samples:

06f5157afd7a7595fbe784a6e098a8286bf5f3cded51f4969b431066baa5c386

301af8928cb550c4917919b4795c5b04061a1e9dcaa2adca222a208c67695b5b

3fb0587d38c59d7b15929a1566fafc764271cfe54f1e117e87f02617a112eafa

4b459c85c8425e368325d8844148e6a058d350374eb721a3da26c4e85ba26973

4c830a4247fc3203fbc7fde4ec81d002fd4899cac3e364a7cb30d15bf09c147e

8a148932d87847341a5cc3e93ba144ea1332229a4334a951449b7458169533bc

d98c29847ea4a1acbc30f95ede18759d9f2ed343dd99d85a542efdf23fd497e5

f15491b940bdf60bc4e906b0c333ea3f7a7f38079a906b80a212901eb5ce0152

f9154f9532ac27b2c21e01fe4b40e24048c598549cfe99e5381817905ad27a8f

ff086b18973ef9d1075c1a5ca6867382566e2d6e4bd4df444eefdb3f8745f454

+ 46 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

trojan backdoor family:metasploit

Link:

https://tria.ge/reports/200828-npmy6kffdx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MetaSploit

Malware Config

C2 Extraction:

http://106.15.106.246:8888/nU8a

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/fa1621a1171424dfc1671013d1027817d6d8792c1709416754a37abc5ab057fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/52306/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample