MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00906f1cf709f6591880f952da59f41a3019944d23824e000592fe7de035c446. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	00906f1cf709f6591880f952da59f41a3019944d23824e000592fe7de035c446
SHA3-384 hash:	d87d8c5018aa88c030b7fa14b1759efa6bbec6c477ad6a2a26a3e473668e83edb2bbe33590bc7823ca7dc9710271e338
SHA1 hash:	16df04c315e08d502d0e901363ad13440bea455a
MD5 hash:	50d67082c368cbd59090d2b1e81aebfb
humanhash:	potato-hot-carbon-fifteen
File name:	50d67082c368cbd59090d2b1e81aebfb.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	12'800 bytes
First seen:	2021-08-26 05:49:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep	192:o9PQFnTaojOmiVmN0TIvF7jF66bPcBzNynTB46T1Bs59LC7kkvVjg/Pop8l1T6:mYtbp6EVVb5tVjgHe2
Threatray	1'221 similar samples on MalwareBazaar
TLSH	T10D42F60777C44322C999393807FB562F93B6B9D71733975ABF9E82216B123911E07BA0
Reporter	abuse_ch
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

531

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

50d67082c368cbd59090d2b1e81aebfb.exe

Verdict:

Malicious activity

Analysis date:

2021-08-26 05:52:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0331ccbb-0ed3-49a3-af64-ae2231905201

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/182477/

Detection(s):

Win.Trojan.MSShellcode-5

Win.Trojan.CobaltStrike-7913051-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Connection attempt

Sending a custom TCP request

Sending a UDP request

Unauthorized injection to a system process

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2a702833-ded4-46e5-a5a2-809b5c8b53da

Result

Threat name:

CobaltStrike Metasploit

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/839476

Signature

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Writes to foreign memory regions

Yara detected CobaltStrike

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/00906f1cf709f6591880f952da59f41a3019944d23824e000592fe7de035c446/

Threat name:

Win32.Trojan.TurtleLoader

Status:

Malicious

First seen:

2021-08-26 05:50:12 UTC

AV detection:

20 of 38 (52.63%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

1b11ae98b85bb0645abe36adcd852e6e84b51c6b5c811729f3c19f14f32d4e4f

CobaltStrike

2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c

CobaltStrike

8438bfbb9c978de4f342a3ed19551f735343a9c1ed0c8610a332a83918cb5985

CobaltStrike

954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e

CobaltStrike

971c693bc67cf7b4b9655282b815bc1ba10ee937f1736ba1ef5fdb7aea392f6c

CobaltStrike

bb4efe96748fcc28b827fc297d060c3ab32053cfb8ea506f8c97000debd22121

CobaltStrike

d1d0c9d1ee7b800d491c9fb3fc94b93e5c59d903a4debb092846c46481077ae0

CobaltStrike

e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407

CobaltStrike

+ 1'211 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:cobaltstrike family:metasploit backdoor trojan

Link:

https://tria.ge/reports/210826-382k3mtk2j/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Cobaltstrike

Malware Config

C2 Extraction:

http://45.9.148.138:443/damage/whois/7XHX3OLQ7
http://45.9.148.138:443/Upload/init/SE1XC8RPO0

Unpacked files

SH256 hash:

00906f1cf709f6591880f952da59f41a3019944d23824e000592fe7de035c446

MD5 hash:

50d67082c368cbd59090d2b1e81aebfb

SHA1 hash:

16df04c315e08d502d0e901363ad13440bea455a

Link:

https://www.unpac.me/results/68345465-5083-472a-8aa1-bf4d0b9b414d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/00906f1cf709/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.84

Link:

https://yomi.yoroi.company/submissions/00906f1cf709f6591880f952da59f41a3019944d23824e000592fe7de035c446

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_RAW_Payload_https_stager_x64 Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	Cobaltbaltstrike_RAW_Payload_https_stager_x86 Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/182477/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample