MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14bdf9b3bcb10c51b8dc10275ced93259dbf62ce31331ab3ccf6e5317d7a3cf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14bdf9b3bcb10c51b8dc10275ced93259dbf62ce31331ab3ccf6e5317d7a3cf5
SHA3-384 hash: 36dffe77798aa3d9250650cdf9f038eff5035466ee5c83f57a6d3c51ee61769c7caeb27290221bfdd1762cc583ccc975
SHA1 hash: 1f45b9d7573d182449935c1d39bde1fb11c7e3bc
MD5 hash: 48073731d6bc08d6edba5cd9e157729a
humanhash: princess-glucose-charlie-cardinal
File name:SecuriteInfo.com.BackDoor.Meterpreter.166.30487.16509
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:310'288 bytes
First seen:2020-12-24 03:32:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ac41327ece1dde898c16ea083108b18 (1 x CobaltStrike)
ssdeep 6144:GnL6eUKgjJHWcd8IoUl7U/fFqjohz1nXcFOCRL:GnL6ZKghWIFlw/gjoHspL
Threatray 8 similar samples on MalwareBazaar
TLSH EA646C5DB29414F8ECA7837CCD425546E63274060772CAFF03A192673F276E4AE3AB61
Reporter SecuriteInfoCom
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'361
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.BackDoor.Meterpreter.166.30487.16509
Verdict:
No threats detected
Analysis date:
2020-12-24 03:34:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e1547ae0-2ca8-474a-8bce-9a0d478a6b75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109277/
Detection(s):
SecuriteInfo.com.BackDoor.Meterpreter.166.30487.16509.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending a custom TCP request
Creating a file
Launching the default Windows debugger (dwwin.exe)
Forced system process termination
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/569555
Signature
Allocates memory in foreign processes
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14bdf9b3bcb10c51b8dc10275ced93259dbf62ce31331ab3ccf6e5317d7a3cf5/
Threat name:
Win64.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 15:44:32 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cs67tm54wegfdog4catvz3mtewo36ywogezrvm6m63stc7l2ht2q._file
Verdict:
malicious
Similar samples:
02efd5f4d8dedabeab8e75f3e49a8fdb05c28dfd39bc1e5c96e8213fe3212e9f
CobaltStrike
15305978d7c42e26d908feca9aed4efa3df89ae6524ecce10752a2ee3cdf813f
CobaltStrike
3a226a3d31e8ba855fbc78efb76f820306f4f60e979333b241c7dadd70a5740d
CobaltStrike
60755909e216dc65f11b7b49ae73ad3e08cb1c5e4255916ea195dbd896f3ae73
CobaltStrike
ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832
CobaltStrike
d2eee2fa771e54c1a44cfc4d40eef50be4776a25987b72633f7b91faf2302092
CobaltStrike
dddf1d1b2b58721f04fe1eb77804d02fb5fc14deca7d8b4f6a9ce3c55644090e
CobaltStrike
f74f5eb8416d9522e703877e104ac7923cc3efeedaa1138b6221726b0d359096
CobaltStrike
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor trojan
Link:
https://tria.ge/reports/201224-8n9mv167e2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
MetaSploit
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://778899aabb.ml:443/Yj2h
Unpacked files
SH256 hash:
14bdf9b3bcb10c51b8dc10275ced93259dbf62ce31331ab3ccf6e5317d7a3cf5
MD5 hash:
48073731d6bc08d6edba5cd9e157729a
SHA1 hash:
1f45b9d7573d182449935c1d39bde1fb11c7e3bc
Link:
https://www.unpac.me/results/1ac29f2b-e686-433b-82c8-4f45c95c8cf9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Metasploit
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/14bdf9b3bcb10c51b8dc10275ced93259dbf62ce31331ab3ccf6e5317d7a3cf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:MALW_cobaltrike
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect CobaltStrike beacon
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 14bdf9b3bcb10c51b8dc10275ced93259dbf62ce31331ab3ccf6e5317d7a3cf5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/109277/
  
URLhaus
https://urlhaus.abuse.ch/url/941310/
  
Delivery method
Distributed via web download

Comments