MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f
SHA3-384 hash: 17b3f11e29d3851bcdeacf9f73342994dd42178eae72f75e7dfb2cffa4ee2266f7b89185b76a8c01ed1cc0a4ea503e91
SHA1 hash: 8655fc0484f35513527268f7313334dc2c2d5953
MD5 hash: 18067be70aad9ca5d329663e35ed5cde
humanhash: monkey-papa-quebec-william
File name:14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:15'286'025 bytes
First seen:2020-09-11 10:35:54 UTC
Last seen:2020-09-11 11:41:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 393216:CMDNYSA2MMbGoK4xAdB6jx0T1s+rG1GXz2F:PDLMMtK4+e10iqGWa
TLSH 56F633B95DCA243EF68F317D236DAA3725C03F9281C1BF55AB68676D2811E3067C7281
Reporter JAMESWT_WT
Tags:39.101.174.221 CobaltStrike

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Searching for the browser window
Creating a window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/464092
Signature
Antivirus / Scanner detection for submitted sample
Infects executable files (exe, dll, sys, html)
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
PE file has a writeable .text section
Potentially malicious time measurement code found
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 284450 Sample: oWiKTQzTh7 Startdate: 11/09/2020 Architecture: WINDOWS Score: 80 96 Antivirus / Scanner detection for submitted sample 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->100 102 2 other signatures 2->102 9 oWiKTQzTh7.exe 10 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        16 2 other processes 2->16 process3 file4 66 C:\Users\user\AppData\...\TaskServer.exe, PE32 9->66 dropped 68 C:\Users\user\...asyConnectInstaller_.exe, PE32 9->68 dropped 18 EasyConnectInstaller_.exe 370 69 9->18         started        21 TaskServer.exe 9->21         started        process5 dnsIp6 58 C:\...\VNICInstaller_X64.exe, PE32 18->58 dropped 60 C:\...\VC2010RedistX86UInstaller.exe, PE32 18->60 dropped 62 C:\...\TcpDriverInstaller.exe, PE32 18->62 dropped 64 32 other files (1 malicious) 18->64 dropped 25 TcpDriverInstaller.exe 6 24 18->25         started        29 DnsDriverInstaller.exe 18->29         started        31 VNICInstaller_X64.exe 18->31         started        33 10 other processes 18->33 92 39.101.174.221, 39999 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 21->92 94 127.0.0.1 unknown unknown 21->94 104 Potentially malicious time measurement code found 21->104 file7 signatures8 process9 file10 70 C:\Program Files (x86)\...\WfpDrv_win7X64.sys, PE32+ 25->70 dropped 72 C:\Program Files (x86)\...\WfpDrv_win7.sys, PE32 25->72 dropped 74 C:\Program Files (x86)\...\WfpDrvX64.sys, PE32+ 25->74 dropped 80 5 other files (1 malicious) 25->80 dropped 106 Sample is not signed and drops a device driver 25->106 35 Remove.exe 25->35         started        37 Install.exe 25->37         started        76 C:\Program Files (x86)\...\DnsDrvx64.sys, PE32+ 29->76 dropped 78 C:\Program Files (x86)\Sangfor\...\DnsDrv.sys, PE32 29->78 dropped 82 4 other files (none is malicious) 29->82 dropped 39 Remove.exe 29->39         started        41 Install.exe 29->41         started        84 6 other files (1 malicious) 31->84 dropped 43 ndiscleanup.x64.exe 31->43         started        45 vacon.exe 31->45         started        86 54 other files (none is malicious) 33->86 dropped 108 Infects executable files (exe, dll, sys, html) 33->108 47 expand.exe 33->47         started        50 expand.exe 33->50         started        signatures11 process12 file13 52 conhost.exe 43->52         started        88 C:\...\1558f05d7d159744b10faf2f8cd4c5ea.tmp, PE32 47->88 dropped 54 conhost.exe 47->54         started        90 C:\...\a8ea9a94694f024083220214f7f20b87.tmp, PE32 50->90 dropped 56 conhost.exe 50->56         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f/
Threat name:
Win32.Trojan.Cometer
Create hunting rule
Status:
Malicious
First seen:
2020-09-04 18:54:39 UTC
File Type:
PE (Exe)
Extracted files:
1948
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ctdd2hejpgwd4vlsb6763v7r675wro7rniwkfcbcqsaxz4a4zwhq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200911-qlf6z6v34n/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Metasploit
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1304367341422157824?s=20

Comments