MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c8de01df040c973b37ae5ce8e1bb523e1ba24a9c25263706022f9a9894a2e50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c8de01df040c973b37ae5ce8e1bb523e1ba24a9c25263706022f9a9894a2e50
SHA3-384 hash: 28cae2bbadf74a3b30e969aae2635283d8f43e963b669e4d61fe2216b8295f38e89f8a732109f386aeb69d51ba5c0b7b
SHA1 hash: 295fda9201323f640fd697faf69d2784e0135573
MD5 hash: 84040f339a996a373ae8a0bb0e671be5
humanhash: iowa-triple-golf-pip
File name:9.capital
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:552'960 bytes
First seen:2021-03-15 17:03:38 UTC
Last seen:2021-03-15 20:43:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a2c333610904b0bdb1edbc04aa01b305 (1 x CobaltStrike)
ssdeep 12288:myIEbOghGa96VBDDOu6J50EXg5/rSBtil:myIEP0VniSEXgNrSji
Threatray 634 similar samples on MalwareBazaar
TLSH 89C43B0AF7B88677D0239139C9538A8AE7B1B8555B70838F4291E77E1F377A14D3A321
Reporter p5yb34m
Tags:CobaltStrike dll TA505


Avatar
p5yb34m
Source:
http://www.ceder-invest.be/sass/capital.php

Intelligence

File Origin
# of uploads :
4
# of downloads :
2'003
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9.capital
Verdict:
No threats detected
Analysis date:
2021-03-15 17:08:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c1274c8-67fb-40df-b5e9-ba6ebf42b71c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.generic.ml.14236.5149.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/91c4cb84-38b6-49be-8a1f-09832c35318d
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/639780
Signature
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c8de01df040c973b37ae5ce8e1bb523e1ba24a9c25263706022f9a9894a2e50/
Threat name:
Win64.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2021-03-15 17:04:06 UTC
File Type:
PE+ (Dll)
Extracted files:
43
AV detection:
2 of 47 (4.26%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882
CobaltStrike
055672abeb2d5018279ea2ad039bfa752c1f8333c065e3830ba61b17a65f3731
CobaltStrike
132bdcb986e3e3b9599b5b293b3318e7c630495e87a9d1fa02287ae80f9e652f
CobaltStrike
54094b2385ea86406ad20d865e6c03ec6233187e293d3d982d281d0237b552dc
CobaltStrike
6543e374acbfe9a3bcfa9a76cb743aaea934c1a1fce7c419b42c27b3fbb1f880
CobaltStrike
6cf0a44011ec1e1a891d7d06357c4687634e42d65a3eecfe9180e608b5d6e150
CobaltStrike
84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252
CobaltStrike
b7d4f66a98e928dfb18d41021e5ad11043a3fc473c794edf481e8aa8c7cc9255
CobaltStrike
d03b1d500e960377df77a72c5074b4c56b29f938f48ecd03ac846b38d3c914d3
CobaltStrike
f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d
CobaltStrike
+ 624 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/210315-6222wgtyxx/
Behaviour
Modifies system certificate store
Blocklisted process makes network request
Cobaltstrike
Malware Config
C2 Extraction:
http://onecoloradosport.com:443/jquery-3.3.2.slim.min.js
http://onecoloradosport.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
1c8de01df040c973b37ae5ce8e1bb523e1ba24a9c25263706022f9a9894a2e50
MD5 hash:
84040f339a996a373ae8a0bb0e671be5
SHA1 hash:
295fda9201323f640fd697faf69d2784e0135573
Link:
https://www.unpac.me/results/5ce6aeda-6823-47c0-a310-31a7abe614c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c8de01df040c973b37ae5ce8e1bb523e1ba24a9c25263706022f9a9894a2e50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 1c8de01df040c973b37ae5ce8e1bb523e1ba24a9c25263706022f9a9894a2e50

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1069261/

Comments