MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06a7f59065d52173bc396ac1a6492002497cc0af629add4ef3195d0d25164685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	06a7f59065d52173bc396ac1a6492002497cc0af629add4ef3195d0d25164685
SHA3-384 hash:	f6a310433e6d6fe5fae68766124a4ea8918b4cd5d8518bad010efdcc818b264c462a76b505829ccaff71bcca01777a86
SHA1 hash:	30fc84d410100bd31973d9a5e1ea245b5b229876
MD5 hash:	c9be60bc6dfc476342f9025c827c7976
humanhash:	chicken-twenty-delaware-florida
File name:	360 小红伞 install.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	3'241'984 bytes
First seen:	2022-05-26 13:25:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	35a81d16af9f2ba6d515f11152d0364b (57 x CoinMiner, 2 x CobaltStrike)
ssdeep	98304:10Z06KqtOt7/qOUYHw0UNhSSIZXjOuI1R8G:qiy4t+OUUgNhOR6uIEG
Threatray	2'211 similar samples on MalwareBazaar
TLSH	T1F5E533E927615350D26D4972C83B3B9FDEDB4917E8E6EF468022353796483BE02FB904
TrID	45.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.2% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1) 0.2% (.VXD) VXD Driver (29/21)
File icon (PE):
dhash icon	30f0e8e698ecf030 (1 x CobaltStrike)
Reporter	obfusor
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

682

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

360 小红伞 install.exe

Verdict:

No threats detected

Analysis date:

2022-05-26 13:29:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b6eee1b7-7ee4-4556-b6bc-42ec14d5bf23

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274757/

Detection(s):

SecuriteInfo.com.BackDoor.Meterpreter.157.19739.2602.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/628f80290be8a16da4ec0a6b/reports/f94919a4-16c7-4da9-81c0-91b19d066295/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b70b02b1-9447-4abb-94c7-dd96b7ae038c

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1002141

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/06a7f59065d52173bc396ac1a6492002497cc0af629add4ef3195d0d25164685/

Threat name:

Win64.Backdoor.CobaltStrikeBeacon

Status:

Malicious

First seen:

2022-05-14 09:31:32 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412

CobaltStrike

3800235b9c767007ae8bcea37cecc720d787a97b46d6adea7e73ac305c6cb192

CobaltStrike

38582026970861e90f4f3f15da60fa5c8bc8759a2fab6c58a6c262d9096ac1e4

CobaltStrike

694265b2dc50bce5062d298872ff396dfc0e054017ecc209a6083faf8ddee107

CobaltStrike

d02c327f66ef7271ae793669b33b5b201b539355e8f0e3bf137071dbdeca6562

CobaltStrike

d63c19155af0a329cd61cd832d7c4d2d5bbcb61067ea764283b664605979864f

CobaltStrike

e4e2543f5f4cd37a6d436b1a4bb5ee2bcb1a6c8c64e5067d031efe428c4f9b24

CobaltStrike

e51d5a34e88b31078df596dfc8a162c2cd2a0d4e3d3e8228301e3cec9f88d22c

CobaltStrike

f6db67d86284b56e01a696535996455416a4e86ec12b923721771d010210c487

CobaltStrike

+ 2'201 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/220526-qphg7sbge3/

Behaviour

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

06a7f59065d52173bc396ac1a6492002497cc0af629add4ef3195d0d25164685

MD5 hash:

c9be60bc6dfc476342f9025c827c7976

SHA1 hash:

30fc84d410100bd31973d9a5e1ea245b5b229876

Link:

https://www.unpac.me/results/3ada0d3e-eca9-4f0e-a50e-ad213d9b24a5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/06a7f59065d52173bc396ac1a6492002497cc0af629add4ef3195d0d25164685

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274757/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample