MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fee6b3937d208b95c17dc253ba951f3c7c5a332af98f4e0117ee5bbd47e38843. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	fee6b3937d208b95c17dc253ba951f3c7c5a332af98f4e0117ee5bbd47e38843
SHA3-384 hash:	3f36c938872fd233cd486fe762ba52281da9b49229fcea7f7c3f5069a8e3224347348ca8c6f98c953b808248b3253f16
SHA1 hash:	d22a1f955b1bb6768a631fb99423eb7f72c453ca
MD5 hash:	61a09af0df7259bf97a656b8a4d34338
humanhash:	lithium-carolina-apart-kentucky
File name:	7GPtF4bk.php.dll
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	353'448 bytes
First seen:	2021-06-30 20:54:21 UTC
Last seen:	2021-06-30 21:40:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	64f1814b769b7e8d7e61f45d0e9f5051 (3 x CobaltStrike)
ssdeep	6144:v19x3DRKzQ/ocBrsEIbXaCC83jL7j51QzDTUnHgm:d9gEyX3jHNiQT
Threatray	319 similar samples on MalwareBazaar
TLSH	8074E635EEC18FA3D0D30EB51353E7800AF9CC6A4B05D6CA62667944F1BAAB754C963C
Reporter	James_inthe_box
Tags:	CobaltStrike dll exe signed

Code Signing Certificate

Organisation:	NEJCHFGNUATBMYBQWL
Issuer:	NEJCHFGNUATBMYBQWL
Algorithm:	sha1WithRSA
Valid from:	2021-06-24T08:08:45Z
Valid to:	2039-12-31T23:59:59Z
Serial number:	-28985911a365ed46be0c4f8ceeb584a4
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	f5b63b86cd81298d58a4f997a1bb420257b52ef7c97c40f5d1d234bff05cda4b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

501

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7GPtF4bk.php.dll

Verdict:

Malicious activity

Analysis date:

2021-06-30 20:56:09 UTC

Tags:

trojan cobaltstrike

Link:

https://app.any.run/tasks/e196f5fa-f8ba-4e79-938c-a8afb918a755

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/169005/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.25058.26959.UNOFFICIAL

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dd6c3e49-608f-44c0-bf16-f3a2acdbb1ee

Result

Threat name:

CryptOne CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/810238

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected CryptOne packer

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/fee6b3937d208b95c17dc253ba951f3c7c5a332af98f4e0117ee5bbd47e38843/

Threat name:

Win32.Exploit.CVE-1999-0016

Status:

Malicious

First seen:

2021-06-30 20:54:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

148c4fc6fc9131bd0782484ecc1c392d95e947cd414e9b495fbbb08372d7534f

CobaltStrike

293b8738ec85a19d31ba1abf99c9922ab2868986cf1042fe0a1f623a9f8dcd07

CobaltStrike

40aa02a45bf04b6c7933179a4749624bf992ea0eabe6beb59de50bc0c5a25c5d

CobaltStrike

5bb76f2f2aeb231f65a46f9e37bec1ae9e9ac558677c5b4ce618c9184ae701b7

CobaltStrike

604aa76cd82be8fbee97f4ac48f9f53c79a1b94b7ba8b80cbd820781af29443b

CobaltStrike

b35d8aaa8d0fc82e71782c157ec1f7ba87df914536e7d2e6d5d7ec7a36122933

CobaltStrike

c87ca8e27e058e4cdbb5d5de6bf2c3be01791f2cc3ec1b4452d867bf2f73cd17

CobaltStrike

cc9a713b0db799bb4be1d74f9ef2d043985218e94d5004e5c42a4996dfb33131

CobaltStrike

cd4333533191a81dfd34340d44fa234ab01dffba24c47f6f733e05bef15c9eee

CobaltStrike

+ 309 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1359593325 backdoor cryptone packer trojan

Link:

https://tria.ge/reports/210630-8yysgpk4sx/

Behaviour

Cobaltstrike

Malware Config

C2 Extraction:

http://37.120.222.56:80/cm

Unpacked files

SH256 hash:

13f8f0121260a1d669f487bff2808c919a9f6138167116153ac09826338136ad

MD5 hash:

18f2f4a00be205df9edfd97282f8d4cb

SHA1 hash:

eda469a109ea097aa943e584bc36ddc39bcb4971

Link:

https://www.unpac.me/results/041d57c4-7a97-428a-b1e4-a081a330ebc2/

SH256 hash:

a78dc6030730f0ec4facf9e8164bc8915bea01a8e9670c238d49134149400064

MD5 hash:

e6a0a11b69860da46fac80f4b802239b

SHA1 hash:

1de49859c303271613e10f71b62f0350163e0bed

Link:

https://www.unpac.me/results/041d57c4-7a97-428a-b1e4-a081a330ebc2/

SH256 hash:

fee6b3937d208b95c17dc253ba951f3c7c5a332af98f4e0117ee5bbd47e38843

MD5 hash:

61a09af0df7259bf97a656b8a4d34338

SHA1 hash:

d22a1f955b1bb6768a631fb99423eb7f72c453ca

Link:

https://www.unpac.me/results/041d57c4-7a97-428a-b1e4-a081a330ebc2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fee6b3937d208b95c17dc253ba951f3c7c5a332af98f4e0117ee5bbd47e38843

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/169005/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample