MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 386905021498147779b0a632c682bd707fd05e1074407e5a8ff879a2274b9cfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	386905021498147779b0a632c682bd707fd05e1074407e5a8ff879a2274b9cfb
SHA3-384 hash:	24ff419b0b5015a6626d08fe67ebc17d936bc03d655aea828653242708e867bb8813620d5cd4b55394a939853152abd5
SHA1 hash:	44b142fb3cdd7b06e0a4c684ea19a170d389312f
MD5 hash:	a8b769daba2ce07104de3b304ffffcb6
humanhash:	river-steak-washington-oregon
File name:	main.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	1'804'800 bytes
First seen:	2021-08-28 12:00:21 UTC
Last seen:	2021-08-28 12:57:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep	24576:c94LBP2CcUqdzLiC2AXooy10kbilDVDf6xOXRK4CfczYD1pePlYrq9Fehew/NYoQ:c9waxXVzDfVkmYD1EdlFm/WoVZQ
Threatray	433 similar samples on MalwareBazaar
TLSH	T19B857E42FDDB64B2E552623208B7A2EF2334B50A1735DEC3DA04AF7BAC275A11D32355
Reporter	JAMESWT_WT
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

543

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

main.exe

Verdict:

Malicious activity

Analysis date:

2021-08-28 12:02:22 UTC

Tags:

trojan cobaltstrike

Link:

https://app.any.run/tasks/9005bac0-ed32-4acb-8638-a924fa12567b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/183055/

Detection(s):

SecuriteInfo.com.DeepScan.Generic.Exploit.Shellcode.1.DA210AA1.24471.28279.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Creating a window

Launching a service

Creating a file

Enabling the 'hidden' option for recently created files

Sending a UDP request

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec494db0-9673-4ffd-b6f3-fd2080a6cae3

Result

Threat name:

CobaltStrike Metasploit

Detection:

malicious

Classification:

troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/840724

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Yara detected CobaltStrike

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/386905021498147779b0a632c682bd707fd05e1074407e5a8ff879a2274b9cfb/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-08-28 12:01:12 UTC

File Type:

PE (Exe)

AV detection:

15 of 46 (32.61%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

5724f81b8cc1a9a3330cb22020e393c854471f605b422b99a2fd5dda3d32cf80

CobaltStrike

57706d626980cfe25b27f6244b175e60cd087cb156336d4f774cad68fc54b34b

CobaltStrike

6afab1df3de00b1200198e692eae6dc36373c310cf4102ecacc5c6e8ff89a7e8

CobaltStrike

8545e60514c0b80a0375e8dba8da9515efc1621d9d6df05ee8196e635b801267

CobaltStrike

a3499e847373725d2924a5914b9ac861fda3c53b31ca5cfcaa02b9363f205774

CobaltStrike

be106bc807b68d8d2bea83f7fbd526675f127b2f234d6c31e2932bb5a5d1aa34

CobaltStrike

f4ca63aeb4e3246c5d923942497d650bc3920c9fbc78a330ecf9d7db67e0cb8f

CobaltStrike

fad4aa474affa78e820e731061ed7614feba095422465f0ca4c05a1f3506beb8

CobaltStrike

+ 423 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor trojan

Link:

https://tria.ge/reports/210828-k23rjb9v4a/

Behaviour

Cobaltstrike

Malware Config

C2 Extraction:

http://216.128.176.111:1280/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

386905021498147779b0a632c682bd707fd05e1074407e5a8ff879a2274b9cfb

MD5 hash:

a8b769daba2ce07104de3b304ffffcb6

SHA1 hash:

44b142fb3cdd7b06e0a4c684ea19a170d389312f

Link:

https://www.unpac.me/results/b0220bef-a2aa-4784-8e6f-80c1b2a3566f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/386905021498147779b0a632c682bd707fd05e1074407e5a8ff879a2274b9cfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_Payload_Encoded Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	GoBinTest Create hunting rule

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	golang Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/malwrhunterteam/status/1431573842774872064?s=20

Cape

https://www.capesandbox.com/analysis/183055/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample