MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882
SHA3-384 hash: 3b9dc72e2b69c37de92f167aab2da7b5bd6285d4c057d5d82b8b89a43a6578868c0d9082fd843225253a0e9c5d79255d
SHA1 hash: 5cfa3c1912e2c4c705bc46ab8d3fc741da36a588
MD5 hash: d84d83da2fd80a1bd976615f76a0abc5
humanhash: march-moon-lima-high
File name:Customer Statement.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:294'368 bytes
First seen:2021-02-25 10:52:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e29ec6e50fe54e1496aaf7e62d7a3f66 (2 x CobaltStrike)
ssdeep 6144:oQbMeWKYX1Wq9y6K/jMidOvrQ5BFnjn8iVGbg:zWKYwq9BEMid8Ux
Threatray 619 similar samples on MalwareBazaar
TLSH 4454E546B25444B5D4668DFA8952B38AEE71FC07472493CB13236F7A7E232909BF9313
Reporter ffforward
Tags:BazarStrike CobaltStrike Orca System signed

Intelligence

File Origin
# of uploads :
1
# of downloads :
532
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Customer Statement.exe
Verdict:
No threats detected
Analysis date:
2021-02-25 10:54:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a1dfad24-899a-4687-b550-85f794487fff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119199/
Detection(s):
SecuriteInfo.com.Malware.AI.165480521.18978.10042.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Changing a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/618614
Signature
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anzjvyw3ed2ilqfyh67tnuvcfvrjcn66wibsx6lscmw3t4ualcba._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
4379aad7a920fea59a8f6233f47de514e7ba3783d6ae3c230f458142fa9ae9c3
CobaltStrike
55c7a0ec28ac9319b3d2245882007c7c1f72b3f44970d24c6d5c355f993d1fb9
CobaltStrike
6fc2d85f11a802fd6abca3bd24c3b97af10671772c884a743c6e623382cefd88
CobaltStrike
836db6bde6f664fa42b020c7b4549713022eac87410c1ed1104b6d4df615a599
CobaltStrike
a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11
CobaltStrike
ca00167290891c622745230d52c813ab8e25f18d2106f18fb6dc2594383b58d8
CobaltStrike
cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c
CobaltStrike
e0952195d73431802bf22dad462b2fffda7ae4f4e384aad8e326b0c6404fb5bf
CobaltStrike
ede75c0a88d80043f79025dfd8ef91c3d1b01a1613f4a0347b2ceb29f8b19578
CobaltStrike
f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d
CobaltStrike
+ 609 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/210225-fm621eggya/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Cobaltstrike
Malware Config
C2 Extraction:
http://redwelt.com:443/files/links.gif
http://redwelt.com:443/eso.js
Unpacked files
SH256 hash:
03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882
MD5 hash:
d84d83da2fd80a1bd976615f76a0abc5
SHA1 hash:
5cfa3c1912e2c4c705bc46ab8d3fc741da36a588
Link:
https://www.unpac.me/results/432ea2fe-7fa6-4daa-837a-a5856ab1a0d9/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://tria.ge/210225-5gtb4n2xja
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/119199/

Comments