MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31bffcb4afdba092230c1e621a8259aff530d812ababfe2d34af5fbfea827efd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	31bffcb4afdba092230c1e621a8259aff530d812ababfe2d34af5fbfea827efd
SHA3-384 hash:	b36c35be050dcb1e99bfa34c6814df99d05f3f0fc24f57c1d643c303375833894c856d123af93a41949a2aa1a2e3c2f8
SHA1 hash:	cbc212f9d32f00d714914a852e4f9f3cc4d8a2b3
MD5 hash:	dea14dc21e436eaaa3c8ee35fac3e7fa
humanhash:	magnesium-eleven-tennis-mockingbird
File name:	31bffcb4afdba092230c1e621a8259aff530d812ababfe2d34af5fbfea827efd.bin
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	39'752 bytes
First seen:	2021-05-31 11:19:53 UTC
Last seen:	2021-05-31 12:16:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	100785cfba4c2db8d721246d848afb79 (1 x CobaltStrike)
ssdeep	768:nCAL3okCH2ShmOg6MlluSaSxkFIwzJKmfk5ipiRGp9E+StU:nIHdm/PjaSoIwzJ/k5ipioQ+S+
Threatray	892 similar samples on MalwareBazaar
TLSH	4603287179A19384FD61C87241FD56E9B921B7308B5923EBD274C623CE636D0ADB0C9C
Reporter	JAMESWT_WT
Tags:	1.A Connect GmbH CobaltStrike exe signed

Code Signing Certificate

Organisation:	1.A Connect GmbH
Issuer:	COMODO RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2018-08-13T00:00:00Z
Valid to:	2022-08-13T23:59:59Z
Serial number:	a7e4ded4bf949d15aa4201843f1ab64d
Intelligence:	30 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	d519622e7d1eab2c240860d38779704319f1349cc57ab8c3d51d9f56145b582f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

522

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

31bffcb4afdba092230c1e621a8259aff530d812ababfe2d34af5fbfea827efd.bin

Verdict:

No threats detected

Analysis date:

2021-05-31 11:38:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b4071f60-6529-403c-9bb5-6c9fecfa364f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/163458/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46139513.12316.15536.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/794689

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/31bffcb4afdba092230c1e621a8259aff530d812ababfe2d34af5fbfea827efd/

Threat name:

Win64.Trojan.Shelma

Status:

Malicious

First seen:

2021-04-14 00:50:12 UTC

File Type:

PE+ (Exe)

Extracted files:

2

AV detection:

21 of 45 (46.67%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9

2af42a2047b16f2dea0038365058a8d8b7f71152117c371ce7f593e47aa785d1

3e6c11f27c1309c63abe0a1563c6141ce7b8d8110419c572be46dcb3578db443

49f80e9afca6ccd55838cd0e16639d51ed5db3d751f36ba7d79ea0678b50da6a

a8241398b22ba3745b460a7a0c39cb9a86ca258b9283901d42e8dab283acb39b

b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

c3cd38ef21032f1410a496a7ca71239619a8d9aa289e70f05f42893def8129e0

cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252

f74f5eb8416d9522e703877e104ac7923cc3efeedaa1138b6221726b0d359096

f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f

+ 882 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:305419896 backdoor trojan

Link:

https://tria.ge/reports/210531-qtm1y98sre/

Behaviour

Cobaltstrike

Malware Config

C2 Extraction:

http://27.221.119.231:443/jquery-3.3.2.2.slim.min.js
http://60.31.184.208:443/jquery-3.3.1.1.min.js

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/31bffcb4afdba092230c1e621a8259aff530d812ababfe2d34af5fbfea827efd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/163458/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample