MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568b
SHA3-384 hash: bd89fab1d29e66f10c0bcbf7d41a96bd124b9384f66011ed93e43e160f7761884742bd525f0de3b629a276bc233b0e98
SHA1 hash: 27959f67a6f1b66b11ffc14e4f07c8aa3bf74463
MD5 hash: d952cfd30747b6640c62a7fad420765a
humanhash: oxygen-kentucky-echo-yankee
File name:1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568b
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:148'480 bytes
First seen:2021-11-22 23:24:25 UTC
Last seen:2021-11-23 00:42:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 937bd4797d14fcb82ba2199283413f3c (2 x CobaltStrike)
ssdeep 3072:Ntri2ak1b/R1HjHirDVSctgamznaIRQd:Ntegbp1rirD7mmV
Threatray 185 similar samples on MalwareBazaar
TLSH T1EDE3E536FAA73109F952E734AE17E020BDD178401E258E2D6A528585CF38DDCFE2FA51
Reporter Arkbird_SOLG
Tags:apt CobaltStrike exe tardigrade

Intelligence

File Origin
# of uploads :
2
# of downloads :
581
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568b
Verdict:
No threats detected
Analysis date:
2021-11-22 23:31:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f9d3fe2-366a-4e6e-b4e1-f2dd912ca112

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Bulz.393610.24916.4789.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
DNS request
Launching a process
Forced system process termination
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug conti crypter greyware
Link:
https://www.filescan.io/uploads/619c26d1dd04e7d00e02e919/reports/e5873c89-d02e-43ad-aa29-17c7e85867c9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6f2a00f-c24d-470d-8525-de4aba1892b4
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/894280
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Process Patterns
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526754 Sample: 481DGzXveG Startdate: 23/11/2021 Architecture: WINDOWS Score: 88 54 Found malware configuration 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 3 other signatures 2->60 8 loaddll64.exe 8 2->8         started        process3 process4 10 regsvr32.exe 7 8->10         started        13 rundll32.exe 8->13         started        16 iexplore.exe 1 73 8->16         started        18 5 other processes 8->18 dnsIp5 46 77.83.199.61, 80 ASN-MOLMoscowRussiaRU Lithuania 10->46 20 cmd.exe 1 10->20         started        23 WerFault.exe 10->23         started        62 System process connects to network (likely due to code injection or exploit) 13->62 25 cmd.exe 13->25         started        27 WerFault.exe 13->27         started        29 iexplore.exe 2 150 16->29         started        32 rundll32.exe 1 18->32         started        34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        signatures6 process7 dnsIp8 44 C:\Users\user\AppData\Local\...\DEMB2F7.tmp, ASCII 20->44 dropped 38 conhost.exe 20->38         started        40 conhost.exe 25->40         started        48 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49842, 49843 YAHOO-DEBDE United Kingdom 29->48 50 dart.l.doubleclick.net 142.250.203.102, 443, 49837, 49838 GOOGLEUS United States 29->50 52 13 other IPs or domains 29->52 42 cmd.exe 32->42         started        file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568b/
Threat name:
Win64.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 05:24:48 UTC
File Type:
PE+ (Dll)
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00
CobaltStrike
118ed2b8b1f173f80cf2efd988170d78b876e0af02a10868b4d61aa01bedf1d3
CobaltStrike
21997a8180c9d1add6f4b7eb35d754d9a15acc614cdb5b11078eb5da661d9d3e
CobaltStrike
2982b2da67e7c38952e2db5007c3f829328da458f7a90e9b3eb789598ccce6ac
CobaltStrike
bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946
CobaltStrike
bd50fceeb89d220f6710030d3aacbc2427c5796d9b7f3dee8a362f4e7d4113ef
CobaltStrike
c380f48e3d649b6a44b05134108a8c79536f289240e9ed9135e35dadffb6c350
CobaltStrike
cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252
CobaltStrike
cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe
CobaltStrike
e5fa7e3d66f99d172d3eba7af15276e7eb1958748832b8965b9eedba4cbfc90c
CobaltStrike
+ 175 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/211122-3eae3acbc7/
Behaviour
Suspicious use of WriteProcessMemory
Cobaltstrike
Malware Config
C2 Extraction:
http://77.83.199.61:80/files/tab_home.jpg
Unpacked files
SH256 hash:
1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568b
MD5 hash:
d952cfd30747b6640c62a7fad420765a
SHA1 hash:
27959f67a6f1b66b11ffc14e4f07c8aa3bf74463
Link:
https://www.unpac.me/results/cb856a64-afed-4bc1-aaca-6febfda77a99/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_RANSOM_ContiCrypter
Create hunting rule
Author:James Quinn, Binary Defense
Description:Signature for a crypter associated with Conti

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/jfslowik/status/1462873589825216517
Cape
Cape
https://www.capesandbox.com/analysis/208478/

Comments