MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f92929879f642470b73488aa719ae8c044a302969d14e70ea1ec2a1fda59bd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f92929879f642470b73488aa719ae8c044a302969d14e70ea1ec2a1fda59bd3
SHA3-384 hash: 23d9f254d176fdeacfe2c23843e77c95aa7e9b3d0b9916cf7258c278601bdc0cd6c559a8d58b7d7c68851cb0ebd1043a
SHA1 hash: 278da5b7c4be0653562efa612198139ec8e3ccb4
MD5 hash: 9353d01ebee0c3e51ab99756ed0d5858
humanhash: crazy-chicken-speaker-may
File name:koba.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'401'200 bytes
First seen:2020-11-12 14:53:08 UTC
Last seen:2024-07-24 13:26:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1efe015ade03f54dd6d9b2ccea28b970 (268 x RedLineStealer, 256 x Amadey, 2 x GuLoader)
ssdeep 24576:/ULnBYICvBs4LhGew9i/hIXuyK4cKHemO7jLoSFInbuWFDRJXoxPfv:gBYIk3LnSGI+X3EoLoSSnbjFD3Xod3
Threatray 1 similar samples on MalwareBazaar
TLSH A75523A33BDE5471ECF41BB018F51A131B323885EE789A9B6295C9DEA8127E0713435F
Reporter James_inthe_box
Tags:CobaltStrike exe

Code Signing Certificate

Organisation:BurnAware
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 1 00:00:00 2019 GMT
Valid to:Sep 30 23:59:59 2022 GMT
Serial number: C01E41FF29078E6626A640C5A19A8D80
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: CCA4A461592E6ADFF4E0A4458EBE29EE4DE5F04C638DBD3B7EE30F3519CFD7E5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.HEUR.QVM41.2.370B.Malware.Gen.25626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/532939
Signature
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315571 Sample: koba.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 76 38 Multi AV Scanner detection for submitted file 2->38 40 Uses ping.exe to sleep 2->40 42 Machine Learning detection for sample 2->42 44 2 other signatures 2->44 8 koba.exe 1 7 2->8         started        11 rundll32.exe 2->11         started        process3 file4 32 fOfyMZuiJItVgNxruW...FecHkgNJptKworcfHKG, COM 8->32 dropped 13 cmd.exe 1 8->13         started        process5 signatures6 48 Drops PE files with a suspicious file extension 13->48 16 cmd.exe 2 13->16         started        20 conhost.exe 13->20         started        process7 file8 30 C:\Users\user\AppData\Local\...\csrss.com, PE32+ 16->30 dropped 36 Uses ping.exe to sleep 16->36 22 csrss.com 16->22         started        25 PING.EXE 1 16->25         started        28 certutil.exe 2 16->28         started        signatures9 process10 dnsIp11 46 Multi AV Scanner detection for dropped file 22->46 34 uTnvWjDVD.uTnvWjDVD 25->34 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f92929879f642470b73488aa719ae8c044a302969d14e70ea1ec2a1fda59bd3/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-01 08:32:30 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6jjfgdz6zbeoc3tjcfkognorqceumbjnhiu44hkd3bkd7nftpjq._file
Verdict:
unknown
Similar samples:
5dcea548692418c3f47e0f0b2f05991720e870c2c65170c603f6e8dbcc11dd23
CobaltStrike
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor persistence trojan
Link:
https://tria.ge/reports/201112-qhhgc69m42/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Cobaltstrike
Malware Config
C2 Extraction:
http://Uw0soheevahjahsaifae.glowtrow.fun:443/image/
http://bah1tuquaizia9eu3Ume.glowtrow.site:443/created/
http://seudaize6io3Go0quahC.cleans.space:443/static/
Unpacked files
SH256 hash:
3f92929879f642470b73488aa719ae8c044a302969d14e70ea1ec2a1fda59bd3
MD5 hash:
9353d01ebee0c3e51ab99756ed0d5858
SHA1 hash:
278da5b7c4be0653562efa612198139ec8e3ccb4
Link:
https://www.unpac.me/results/af4e1d91-03e8-49f3-b325-52a931773a11/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/810253/

Comments