MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e
SHA3-384 hash:	64084a32cd02efabc1db9e74ad63aea42689b1e5b3a0e947b64c51aca4f4231040ba3f77055793dd5ef294eacf75d57a
SHA1 hash:	be6c19e160240c844b8f07b04c2080412fc4bd50
MD5 hash:	fce75d9b68fcf4a13e76e0fd6f92e1ae
humanhash:	london-indigo-fillet-music
File name:	Ifof.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	474'624 bytes
First seen:	2022-03-21 22:40:03 UTC
Last seen:	2022-03-22 00:56:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	24da2cdd90bb4855a4a5f456b4a45738 (1 x CobaltStrike)
ssdeep	6144:0Y7YvpE6kgzAU+ne0no02f7k0utAH6e3VwvoI8lAPXjylgAgqk7irNa7s6no:n78G6KeGo02jC2zFwAoOgDqkyD
Threatray	1'552 similar samples on MalwareBazaar
TLSH	T13DA48B8FA164C4BAE91D6131C19007C6C332F647A62459DA1758CE29FDE7246FFBBB20
Reporter	malware_traffic
Tags:	CobaltStrike exe

malware_traffic

Cobalt Strike EXE dropped after IcedID infection

Intelligence

File Origin

# of uploads :

# of downloads :

647

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Ifof.exe

Verdict:

Suspicious activity

Analysis date:

2022-03-21 22:17:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a594704c-f425-44b4-80e3-129e174043ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253864/

Detection(s):

SecuriteInfo.com.Malware.AI.4268330525.25997.3673.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Delayed writing of the file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10247/overview

Behaviour

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed shell32.dll

Link:

https://www.filescan.io/uploads/6238fec90cd58dbd92d1e40d/reports/16ec85a0-818f-4b99-89ed-af23f3ac9fee/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c645e01a-7b05-4169-ac19-7ce5766fc461

Result

Threat name:

Unknown

Detection:

malicious

Classification:

adwa.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/961253

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected Shellcode strings

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e/

Threat name:

Win64.Trojan.CobaltStrike

Status:

Malicious

First seen:

2022-03-21 22:40:12 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

15ad6630505f5276285e80205b40ebd4a3e975d97b93c390f39c67aad799b6de

CobaltStrike

2825b1fcb91614a08b7c2338e54ee1506915c159bd6a363de7b77c23dd6ea7e0

CobaltStrike

6880a560c6cc3dd49bdc94a90dcc8dc69e55a6d842e76bb0dff0038bad6a762f

CobaltStrike

97fbb35c5073af391068712aa31992c2d6d174c8c297baef188d687fe6f4fd62

CobaltStrike

cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58

CobaltStrike

cf1043d00d87887f92a59e86296d1b7acaf37ccb33e9d2ce1f3c40d669de8ed5

CobaltStrike

e7e2bc2c52d0b57ed7a2d11fa822ef5520559876b7c55f3f38cf8ef62d6ee544

CobaltStrike

+ 1'542 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1580103824 backdoor trojan

Link:

https://tria.ge/reports/220321-2ljrmsdhe3/

Behaviour

Modifies system certificate store

Cobaltstrike

Malware Config

C2 Extraction:

http://bupdater.com:757/link.css

Unpacked files

SH256 hash:

09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e

MD5 hash:

fce75d9b68fcf4a13e76e0fd6f92e1ae

SHA1 hash:

be6c19e160240c844b8f07b04c2080412fc4bd50

Detections:

win_bazarbackdoor_auto

Link:

https://www.unpac.me/results/1286a9b4-5cf0-46fc-bd7e-e1647abfeb38/

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/09d8fb54a22c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

IcedID

Cape

https://www.capesandbox.com/analysis/253864/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample