MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e9f26b9a92ba13916a6e98de924397ec3adc68507a1447a0472d1b4e4d8b2df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments 1

SHA256 hash:	0e9f26b9a92ba13916a6e98de924397ec3adc68507a1447a0472d1b4e4d8b2df
SHA3-384 hash:	c200614a0ae9aa3323f39b20658a55b8f86339e1e58c6789d9f716eb91ce240e0c2e7cde4522df63adb67c2227f04cb8
SHA1 hash:	a95c0c07d8813ba44399a700337a2327be4c7c70
MD5 hash:	61e4596a05e24c5128f866f4d70659ef
humanhash:	berlin-hot-quebec-fanta
File name:	61e4596a05e24c5128f866f4d70659ef
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	3'049'984 bytes
First seen:	2023-10-14 04:47:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f9d27338d7905e39968aef1a4c4b80cd (1 x CobaltStrike)
ssdeep	49152:UGtlq24VwASOM4IU6iDRq2h8Ti6fHXryLjsoc9CjC4J8ugJU1mPt0Dv4t:3H+1q5NIj1J8NS1JD
TLSH	T110E59E96A7A400E4D9B7C138C9569627E7F2F41513B29BCB06A4C6B50F13BE26F3E740
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	zbetcheckin
Tags:	64 CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

390

Origin country :

Vendor Threat Intelligence

Malware family:

cobaltstrike

ID:

File name:

61e4596a05e24c5128f866f4d70659ef

Verdict:

Malicious activity

Analysis date:

2023-10-14 04:49:51 UTC

Tags:

cobaltstrike backdoor

Link:

https://app.any.run/tasks/ae862eb5-6351-43bf-a244-2650f3e429b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454269/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending an HTTP GET request

Sending a custom TCP request

Sending an HTTP GET request to an infection source

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control crypto expand greyware lolbin remote

Link:

https://www.filescan.io/uploads/652a1d83a29a700213a2053e/reports/315502f4-2aad-4b9b-b368-240b6110c1db/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/0e9f26b9a92ba13916a6e98de924397ec3adc68507a1447a0472d1b4e4d8b2df

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9a06f6ca-1b70-4b59-90b8-0a7addffe84f

Score:

74%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0e9f26b9a92ba13916a6e98de924397ec3adc68507a1447a0472d1b4e4d8b2df

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0e9f26b9a92ba13916a6e98de924397ec3adc68507a1447a0472d1b4e4d8b2df/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-13 18:25:53 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

10 of 23 (43.48%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b2psnonjfoqtsfvg5gg6sjbzp3b23rufa6qui6qeoli3jzgywlpq._file

Verdict:

malicious

Label(s):

cobaltstrike

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:100000000 backdoor trojan

Link:

https://tria.ge/reports/231014-fe4mksgc4x/

Behaviour

Cobaltstrike

Malware Config

C2 Extraction:

http://159.89.194.250:8089/jquery-3.3.2.slim.min.js
http://159.89.194.250:8089/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

0e9f26b9a92ba13916a6e98de924397ec3adc68507a1447a0472d1b4e4d8b2df

MD5 hash:

61e4596a05e24c5128f866f4d70659ef

SHA1 hash:

a95c0c07d8813ba44399a700337a2327be4c7c70

Link:

https://www.unpac.me/results/6977a69a-0c60-49ab-b086-06421b9e27f5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0e9f26b9a92ba13916a6e98de924397ec3adc68507a1447a0472d1b4e4d8b2df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/