MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44
SHA3-384 hash: 33445093775e083a60f3c90e050319d7f176e0a210b71585ef9c657a87e306f71cb15b30290b44680cd71c212ae390e7
SHA1 hash: 75d9938a5df041f70302ea1825462cd0d5354be2
MD5 hash: 4731005842ef44fc1ce6a580d68e627f
humanhash: vermont-autumn-river-north
File name:611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:5'640'493 bytes
First seen:2021-03-11 08:13:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1da9ea396652d5e0b17e3ad46db6896 (2 x CobaltStrike)
ssdeep 98304:oS8ZLxjR/7JNzJwjI5klUigKYkBEvHPIEQxTdTaR5kKV/nKIKaH:FSFl6bUpMBvaR57VLP
Threatray 25 similar samples on MalwareBazaar
TLSH 67463328FC818177D077283648B2D3746A6439F10B08A467AFD51A3F9F325F279798B6
Reporter JAMESWT_WT
Tags:118.31.60.46 Cobalt Strike CobaltStrike

Intelligence

File Origin
# of uploads :
1
# of downloads :
540
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44
Verdict:
Malicious activity
Analysis date:
2021-03-11 08:16:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef2833d1-15f9-41d7-8d7c-da3dfd9ab1ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123759/
Detection(s):
Win.Malware.Generic-6651554-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Connection attempt
Sending a UDP request
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/636597
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44/
Threat name:
Win32.Trojan.Cometer
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 11:09:21 UTC
File Type:
PE (Exe)
Extracted files:
359
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0f4238a14d0c6dbd53c84513df03d0d3be5f8452aa858e2273788690fe7c59dc
CobaltStrike
1b87f2ef8a0150578ab639316e6f392ccac181c9fa18df5a04ccc56963644d02
CobaltStrike
289fd8d06a0809ace139201a7bd5896eecc684f0887e791f307e47bbfa5698e4
CobaltStrike
54446099158a525a638b624d85af6d3530970e9050a8b34d4130d1fbbad2dba3
CobaltStrike
9165bc75e1a727c886b97c5dd3bdc42ed33d22f2895e8a830b94bd27fdeec2eb
CobaltStrike
95e35f1614df92a318a749a8f62a35b9c03f2f34f08ad5606b45c9d817ff1d93
CobaltStrike
a4e1a5b0197b59eb99538327584f8294e81259fd704c281469ec6b7ab7a2c046
CobaltStrike
bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715
CobaltStrike
e92b19cb2f281114eb2db737edd370bcf7d5ea35e84f07976d8d680abdb7d654
CobaltStrike
f29a85a0a8d5c438141903be9402dfea15cc0eb89e356da5b53d31edfabed15e
CobaltStrike
+ 15 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor pyinstaller trojan
Link:
https://tria.ge/reports/210311-znb4e5cnqe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
MetaSploit
Malware Config
C2 Extraction:
http://118.31.60.46:82/i5sK
Unpacked files
SH256 hash:
27e62ed60d180382adaf7531c375ebafcd1b23fb6ee7c98d5eaf9423825b080d
MD5 hash:
5f9be4a6de2f77f778fd08c9ee38b2ef
SHA1 hash:
03006dbdd3c7b78c0cd552d43594a965991370a3
Link:
https://www.unpac.me/results/562dffdb-2f90-4491-9169-27f7427ef360/
SH256 hash:
917af4bb3022afa73d6140cd805d5f9321a87ef035d2b9ac6fe3859ed2bd2611
MD5 hash:
4c9e09b809b45d702eb3ba666066043d
SHA1 hash:
bd901b3b29c2c9792b3adfcdcba6e8ad739fcbf3
Link:
https://www.unpac.me/results/562dffdb-2f90-4491-9169-27f7427ef360/
SH256 hash:
8ad8c41c46d0840390ad8c3039d9bb1b97c3629303a8b622655ed527b1f0370d
MD5 hash:
c3163f70d5cb6ec86c4021769066eeb6
SHA1 hash:
4c065cb244b43a2f0de4827941b5ae57f987136e
Link:
https://www.unpac.me/results/562dffdb-2f90-4491-9169-27f7427ef360/
SH256 hash:
1e74b9382c79fa3681c8f44c1ec4661193b1f1639b7b286ce46f5feb45f92e0a
MD5 hash:
2e8e33fcf16bed21570ccabc1bc3a742
SHA1 hash:
4513e0098ae453946192d77f1d706f9d7fe97e26
Link:
https://www.unpac.me/results/562dffdb-2f90-4491-9169-27f7427ef360/
SH256 hash:
77001093773fda7387d53aed49b9445f514d12f5fb8722881895ac25aaa35948
MD5 hash:
171ccf3d97a7a3645068a41810213fce
SHA1 hash:
c48bf5099513b1977ac584fe2bca7ce039d2b2b2
Link:
https://www.unpac.me/results/562dffdb-2f90-4491-9169-27f7427ef360/
SH256 hash:
bab0cd38f6b52ff157833d4e02b0becda2f81baf0935de6b908329f21a4e5421
MD5 hash:
c81c2562153c008b1f93f908f0edc9ba
SHA1 hash:
6007c4a82579b0580867ff0374e104a38a2dc98f
Link:
https://www.unpac.me/results/562dffdb-2f90-4491-9169-27f7427ef360/
SH256 hash:
611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44
MD5 hash:
4731005842ef44fc1ce6a580d68e627f
SHA1 hash:
75d9938a5df041f70302ea1825462cd0d5354be2
Link:
https://www.unpac.me/results/562dffdb-2f90-4491-9169-27f7427ef360/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1369656504270340100?s=20
Cape
Cape
https://www.capesandbox.com/analysis/123759/

Comments