MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2df05a70d3ce646285a0f888df15064b4e73034b67e06d9a4f4da680ed62e926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2df05a70d3ce646285a0f888df15064b4e73034b67e06d9a4f4da680ed62e926
SHA3-384 hash: 418b9ac563b2343311f8c078dc3288feab2f5db8fbbe5423f58df2ea36fbebbffb9da2cf5a4edee5162b06c74b0c4d0b
SHA1 hash: 0a2a8c2aa271632b635609bf6139ccd778c7ebff
MD5 hash: a5f23d18fb7c247d783e471ec2f76327
humanhash: vermont-spring-angel-indigo
File name:123.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:4'551'592 bytes
First seen:2021-04-19 11:21:17 UTC
Last seen:2021-04-20 05:15:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f8cb0cbb23adcf17d07116fd255e953e (1 x CobaltStrike)
ssdeep 98304:dZDhCIuEYw5O0MVkVazxhEEtWOjFLOAkGkzdnEVomFHKnPjjfPW:dZDvo0yxhEEtWmFLOyomFHKnPjjW
Threatray 209 similar samples on MalwareBazaar
TLSH F426BE123DCC046FC0632D316AFCFE38F55EBEA1262D259731D2BE2DE9322811955D6A
Reporter Anonymous
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
3
# of downloads :
490
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
阿里巴巴集团蚂蚁金服部分岗位信息Some job information of Alibaba Group Ant Financial.exe.zip
Verdict:
No threats detected
Analysis date:
2021-04-12 15:00:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cdd63371-6c32-44d5-97b1-71b7877d1f8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/138412/
Detection(s):
SecuriteInfo.com.LresultFromObject.32127.14122.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Connection attempt
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/686679
Signature
Creates processes via WMI
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 392288 Sample: 123.exe Startdate: 19/04/2021 Architecture: WINDOWS Score: 60 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 8 123.exe 7 2->8         started        11 explorer.exe 3 2->11         started        13 explorer.exe 1 2->13         started        process3 dnsIp4 38 112.25.18.134, 443, 49718, 49748 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN China 8->38 40 122.228.7.225, 443, 49734, 49755 CHINATELECOM-ZHEJIANG-WENZHOU-IDCWENZHOUZHEJIANGProvince China 8->40 42 9 other IPs or domains 8->42 15 WMIC.exe 1 8->15         started        18 AcroRd32.exe 37 11->18         started        process5 dnsIp6 50 Creates processes via WMI 15->50 21 conhost.exe 15->21         started        36 192.168.2.1 unknown unknown 18->36 23 RdrCEF.exe 59 18->23         started        25 AcroRd32.exe 8 6 18->25         started        signatures7 process8 process9 27 RdrCEF.exe 23->27         started        30 RdrCEF.exe 23->30         started        32 RdrCEF.exe 23->32         started        34 RdrCEF.exe 23->34         started        dnsIp10 44 80.0.0.0 NTLGB United Kingdom 27->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2df05a70d3ce646285a0f888df15064b4e73034b67e06d9a4f4da680ed62e926/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxyfu4gtzzsgfbna7cen6figjnhhga2lm7qg3gspjwtib3lc5eta._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
057d811888e41fca0d05d8f27f0f761651ff379a207ce67774e5f75253efc236
CobaltStrike
10b429dee7953e57c10798ffe22a196f768557cfb34e7fb338310d19cbfa09a6
CobaltStrike
350b0d6ae25e81c8394b119f4d569c083df8d17e6241d8efed0858cf91c745d7
CobaltStrike
4598fc224cd68101ae1aa21a42dea35d204c8c00469d39fd4ce09b05c48eee0a
CobaltStrike
4bc53e792de348252f0a8408c20401f49f14c0f5203db3c2da58d0b480bdd588
CobaltStrike
af3f3371e861b0d5225069256c8561217a2f3ecd5dde0554e2856e4e15222bd5
CobaltStrike
b094885ad9576befcc251800a32d8d2c118b58c9eddc2ee3b74a4a54f178c715
CobaltStrike
d963d9065339a7172882cb7ad0d3125f4f56aad05fe6fd05a12d7b3feb1d4f80
CobaltStrike
e844577efbd9d78da8849997491807f1f9d3ae7d7f010363e2c25c6de2687eba
CobaltStrike
e8b23f70120b69886cd4ec64fc1dea36c4c9d6ee0d07d31c83e34e4a56ede56f
CobaltStrike
+ 199 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/210419-fbj176329x/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Cobaltstrike
Process spawned unexpected child process
Malware Config
C2 Extraction:
http://101.72.205.224:443/config
http://112.25.18.134:443/admin
http://118.123.241.220:443/admin
http://121.207.229.145:443/admin
http://122.193.130.74:443/login
http://122.228.7.225:443/admin
http://123.6.10.169:443/admin
http://124.236.20.207:443/admin
http://125.37.206.220:443/config
http://125.76.247.185:443/login
http://140.249.60.193:443/admin
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Adware
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/2df05a70d3ce646285a0f888df15064b4e73034b67e06d9a4f4da680ed62e926

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/138412/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-19 12:19:33 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.012] Anti-Behavioral Analysis::Human User Check
3) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
4) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
5) [B0012.001] Anti-Static Analysis::Argument Obfuscation
6) [F0002.002] Collection::Polling
7) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
8) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
9) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
10) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
11) [C0019] Data Micro-objective::Check String
12) [C0026.001] Data Micro-objective::Base64::Encode Data
13) [C0026.002] Data Micro-objective::XOR::Encode Data
14) [C0030.005] Data Micro-objective::FNV::Non-Cryptographic Hash
16) [C0045] File System Micro-objective::Copy File
17) [C0047] File System Micro-objective::Delete File
18) [C0049] File System Micro-objective::Get File Attributes
19) [C0051] File System Micro-objective::Read File
20) [C0052] File System Micro-objective::Writes File
21) [E1510] Impact::Clipboard Modification
22) [C0007] Memory Micro-objective::Allocate Memory
23) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
24) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
25) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
26) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
27) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
28) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
29) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
30) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
31) [C0040] Process Micro-objective::Allocate Thread Local Storage
32) [C0017] Process Micro-objective::Create Process
33) [C0038] Process Micro-objective::Create Thread
34) [C0054] Process Micro-objective::Resume Thread
35) [C0041] Process Micro-objective::Set Thread Local Storage Value
36) [C0055] Process Micro-objective::Suspend Thread
37) [C0018] Process Micro-objective::Terminate Process