MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25c0754621f5c8de0e8a71235e26c6797d21a70ed779ec455d4b589c2ce53bb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobianRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25c0754621f5c8de0e8a71235e26c6797d21a70ed779ec455d4b589c2ce53bb8
SHA3-384 hash: 71360e2f1da3b1a9230458dbe0b1c18c983919e6b75fbd1d3ff12ef17e6e27b8d3213c17323af0ac2a6ec46142224c6b
SHA1 hash: 2246fe2e6b4d9d285ec8681075f21857ac31392f
MD5 hash: e66275001ba64db5d3fa293f6f4c152f
humanhash: berlin-bakerloo-west-neptune
File name:serv.exe
Download: download sample
Signature CobianRAT
Create hunting rule
File size:30'720 bytes
First seen:2020-07-27 06:57:29 UTC
Last seen:2020-07-27 07:50:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:UlZ3hei0OblBcTZPR6Vc+nEscc/IJlNVVNDpSIw39qWrDk2kMK6KUkyoseNegUEm:4/3ZsZPR6VdBgJlNzOSJ0ia1No6Y4
Threatray 11 similar samples on MalwareBazaar
TLSH 9CD23A8873E08732C97E677B0673926013F48F539613EB4F4ED4B4A92EB37114A51A63
Reporter JAMESWT_WT
Tags:CobianRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32693/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader26.5584.28944.32036.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with Startup directory
Enabling a "Do not show hidden files" option
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/398327
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25c0754621f5c8de0e8a71235e26c6797d21a70ed779ec455d4b589c2ce53bb8/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-07-27 06:59:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
4d9b89978e6ca9cf14cb1f04859e01e66c1e0dbefedd1663617647535c0b3fa0
CobianRAT
4f3129e7343d1dee0695d18f265f88610ec1c04132be5d1888993278daf8920e
CobianRAT
54cc3426c8ad3f2d39543a8157843620af7108ea419589cc6755e77a31b96047
CobianRAT
723497bec220b3ef0d45c5134403fd2ba23eef0673707cf1e74166b06365d308
CobianRAT
8325ff9c585668aafee7499983616920d347b6e778c5c183484cb0aa5738f45d
CobianRAT
9f55258f872561acb62137271079b8e1f67ebe6b1a211e30a2c02c02699c3449
CobianRAT
b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218
CobianRAT
c1b06231624dd9cd446357211a63f8d27f2a7781123c0dff89f277f95e408192
CobianRAT
ddbe4689702130a4dc5d5133c517f466a47e003b645326c7dded00247bde315f
CobianRAT
fa50933b7c3b07672776f2e7a0f543bdfb537e6f7d88bc6c1bc1a84af8839ed5
CobianRAT
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200727-gs35llgv4j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Drops startup file
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25c0754621f5c8de0e8a71235e26c6797d21a70ed779ec455d4b589c2ce53bb8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobianRAT

Executable exe 25c0754621f5c8de0e8a71235e26c6797d21a70ed779ec455d4b589c2ce53bb8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/32693/
  
URLhaus
https://urlhaus.abuse.ch/url/419643/
  
Delivery method
Distributed via web download

Comments