MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507
SHA3-384 hash:	d846254ebab0c0ce479e5fe2cf57ddeb76e7d6a9c9b10f9c940498e08991642c7783f6b07fa11568309cb937615c0591
SHA1 hash:	ab30790a0fd8fd3759e39d7cfc4406a7eb6b2249
MD5 hash:	be7f645dcf43a1b15c4f2e018ed603b3
humanhash:	leopard-twenty-hydrogen-july
File name:	0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507.bin
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	5'385'368 bytes
First seen:	2021-04-27 06:40:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d8bb7ff20ee28065e7f762f91eee2327 (3 x CobaltStrike)
ssdeep	98304:fN6ynFMPDpKmj4rcE6YsTdvlh0AMPVybmHz9JWzPjQs/3r:V6yQhWsK0Prr
Threatray	26 similar samples on MalwareBazaar
TLSH	2D467C31B68BC136D56F07712A2DDBAE51797EA22B7340D767E41E6E09B18C24231F23
Reporter	JAMESWT_WT
Tags:	CobaltStrike Quicktech.com signed

Code Signing Certificate

Organisation:	Quicktech.com
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-09-28T00:00:00Z
Valid to:	2021-09-28T23:59:59Z
Serial number:	70d896117e15302c7eefecb289b3bfe0
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	c747b20c080c1d0ba04308a496c279acd4060b204a9506a7bcdd6e613fc09698
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

570

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

Win.Trojan.CobaltStrike-9044898-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

DNS request

Sending an HTTP GET request

Sending a UDP request

Creating a file in the %temp% directory

Deleting a recently created file

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

n/a

Score:

36 / 100

Link:

https://www.joesandbox.com/analysis/698623

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-04-15 13:47:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 47 (19.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b67rmwegbjxwk37krdchnyo6mmblvo27mforcem72tdu3zzzoudq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

39067a6a8ac06d60189b34afbb9acd73e8e33aba91653c39a037c2f78f972f29

CobaltStrike

4ce2900b5846f04521fdeb065a8350023c59f1d67b3b9347d505bc4f1796892f

CobaltStrike

7e8a4bbdc12c7caefb486b28be1eebf0e35a8ad5f745aae17abbe7f40aff661f

CobaltStrike

a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11

CobaltStrike

bcbd4211108cf3c477de91d78383150e1d30f98d41c372770503eb259a762824

CobaltStrike

c2c2d8aab3b2c72e34767d16ee029a09035851b9aa6773ca5d83804aa2cfe911

CobaltStrike

cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c

CobaltStrike

dbafbe9edfdac67a781756a6970a7341fd5401b0914fff7e3e8136cff0426fc5

CobaltStrike

f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d

CobaltStrike

+ 16 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/210427-acdyasv6pj/

Behaviour

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Enumerates connected drives

Loads dropped DLL

Unpacked files

SH256 hash:

0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507

MD5 hash:

be7f645dcf43a1b15c4f2e018ed603b3

SHA1 hash:

ab30790a0fd8fd3759e39d7cfc4406a7eb6b2249

Link:

https://www.unpac.me/results/72012520-163a-4c54-ae4e-2e593ebc35bf/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

CobaltStrike

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0fbf1658860a6f656fea88c476e1de6302babb5f615d11119fd4c74de7397507

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/144445/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample