MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 047402ec1c36b09a5bbdf8cac3fd8f46cc1ea4c51a67f1bc347c2f4e4369cd6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	047402ec1c36b09a5bbdf8cac3fd8f46cc1ea4c51a67f1bc347c2f4e4369cd6e
SHA3-384 hash:	feb2c164fe6c1768802339a33e6b348231cb688cefd3cda5b1b80a47b25d0410f1446be6acdcebcf6ae1b731cb8f5725
SHA1 hash:	cadd4cf3ade342a475d5bc4a54164f27eb35dda7
MD5 hash:	cc5393dd6d47f70f402a6c05d7f282a6
humanhash:	north-cat-march-nuts
File name:	047402ec1c36b09a5bbdf8cac3fd8f46cc1ea4c51a67f1bc347c2f4e4369cd6e
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	262'144 bytes
First seen:	2020-10-24 21:20:54 UTC
Last seen:	2020-10-24 22:23:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8c3735f4acc1ff228e16baf9855cb862 (2 x CobaltStrike)
ssdeep	3072:Br+U7LVLn1BFdjGQX8dbDCRUCnhqxmTy1WOeJfUuIRrT10ZFPjEzcuT5SxAgYJug:Br+USu+WOeOTCjLEIuT/g7j2
Threatray	31 similar samples on MalwareBazaar
TLSH	A0445A4532A07CF5ECA7D63AC6534617EFF27C664630D70F03641AAA4F273A1A22E365
Reporter	seifreed
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/75278/

Detection(s):

SecuriteInfo.com.BackDoor.Meterpreter.157.10492.19929.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/508777

Signature

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Exe Launched By ReflectiveLoader Dll

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/047402ec1c36b09a5bbdf8cac3fd8f46cc1ea4c51a67f1bc347c2f4e4369cd6e/

Threat name:

Win64.PUA.CobaltStrikeBeacon

Status:

Malicious

First seen:

2020-10-12 20:10:50 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ar2af3a4g2yjuw557dfmh7mpi3gb5jgfdjt7dpbupqxu4q3jzvxa._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

15073e335455478c4bf28954f35f6ab8f692527786b3d4436acb0e55097bb952

CobaltStrike

39a7738c00d6a5dcc4709ad2e3f0b57565f7dc0325bdb5942c3e696c5736bc5a

CobaltStrike

492dedfe1a550c4786e5e58435b9f385a415ec4704e008ab0343f006a8ce00da

CobaltStrike

87dca59ec3d55bcb1b05da564e5ce0a164ab633f1c46a18a97f72a30efff7388

CobaltStrike

9a7d2b2c96ee9b7b0ddc1665988d935a719f04cdb2b2dd331ec36aa4f6597506

CobaltStrike

9c3b7ba8d375f19993312a6ac20418e0d107d73b30d585e9ad3646e150ff7c5a

CobaltStrike

a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919

CobaltStrike

bdeec4adcae05874a1a5727a910e9522781550b5b3acfefa03ac20565785e6fe

CobaltStrike

d44d718c247b1664861f987b1725314f152e43e7c1da80b163f812e1b7c3fdb7

CobaltStrike

+ 21 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201024-gxnen7a7fj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Malware Config

C2 Extraction:

http://www.infosystemsjobs.com:443/AzureHubs/api/Telemetry

Unpacked files

SH256 hash:

047402ec1c36b09a5bbdf8cac3fd8f46cc1ea4c51a67f1bc347c2f4e4369cd6e

MD5 hash:

cc5393dd6d47f70f402a6c05d7f282a6

SHA1 hash:

cadd4cf3ade342a475d5bc4a54164f27eb35dda7

Detections:

win_cobalt_strike_auto

Link:

https://www.unpac.me/results/ff21c49b-9d7e-4a76-84f1-f1c7170abbdb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Swrort

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/047402ec1c36b09a5bbdf8cac3fd8f46cc1ea4c51a67f1bc347c2f4e4369cd6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	MALW_cobaltrike Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect CobaltStrike beacon

Rule name:	ReflectiveLoader Create hunting rule
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/75278/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample