MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68081a431396a2876a1f57b55ebfc2bfb762abcc4feb5d29e9b0415ef415d10e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68081a431396a2876a1f57b55ebfc2bfb762abcc4feb5d29e9b0415ef415d10e
SHA3-384 hash: 1b15aac23d22ce1c8308a47579d506282940c23575b7174a42c7d8d507e80cb25a8b92c212d9a0acb6843f5935bc4f1e
SHA1 hash: 25110bff4e00ad80ca26bb38c084bbe6c2dc3ba4
MD5 hash: 825fbab710f4bfbc1a0c80a56b7cf7f0
humanhash: network-asparagus-illinois-leopard
File name:68675ec.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:314'382 bytes
First seen:2021-04-07 22:46:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 659cb99b53c4406dda332310ca49ae1c (1 x CobaltStrike)
ssdeep 6144:BzEfZJVX/pQEGCq6Wph5Y6p8UvsYJ9+6I/90C+OyeJjBhq:BGZJV6Ed3v6p8Uv19+sErBhq
Threatray 2 similar samples on MalwareBazaar
TLSH 3E64ADBCE52044E1D3DE5C33296877EC6BB0754E0727115BABEAB0AEBF119158B025BC
Reporter Pimpjui53612340
Tags:CobaltStrike


Avatar
Pimpjui53612340
CobaltStrike

electronicwhosaleonline[.]com/jquery-3.2.2.min.js
74.118.138[.]236/jquery-3.2.2.min.js

Malleable_C2_Instructions: [Remove 1169 bytes from the end
Remove 84 bytes from the beginning
Remove 3049 bytes from the beginning
Base64 URL-safe decode
XOR mask w/ random key]

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
68675ec.exe
Verdict:
No threats detected
Analysis date:
2021-04-07 22:47:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1f647250-bc4c-4d51-8d2a-4432d35809a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132964/
Detection(s):
Win.Trojan.CobaltStrike-9044898-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669339
Signature
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383598 Sample: 68675ec.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 7 68675ec.exe 2->7         started        10 svchost.exe 2->10         started        12 cmd.exe 2 2->12         started        14 10 other processes 2->14 process3 dnsIp4 51 Modifies the context of a thread in another process (thread injection) 7->51 17 rundll32.exe 1 2 7->17         started        53 Changes security center settings (notifications, updates, antivirus, firewall) 10->53 21 MpCmdRun.exe 1 10->21         started        23 conhost.exe 12->23         started        25 sc.exe 1 12->25         started        37 127.0.0.1 unknown unknown 14->37 27 conhost.exe 14->27         started        29 sc.exe 1 14->29         started        signatures5 process6 dnsIp7 33 electronicwhosaleonline.com 74.118.138.236, 49713, 49716, 49718 TERASWITCHUS United States 17->33 35 r3.i.lencr.org 17->35 47 System process connects to network (likely due to code injection or exploit) 17->47 49 Creates files in the system32 config directory 17->49 31 conhost.exe 21->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68081a431396a2876a1f57b55ebfc2bfb762abcc4feb5d29e9b0415ef415d10e/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 22:47:08 UTC
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=naebuqyts2rio2q7k62v5p6cx63wfk6mj7vv2kpjwbav55av2eha._file
Verdict:
unknown
Similar samples:
7737be761cd80d49f4597b65503ed001f96dbfe669bd0112dfe3fb9c6885eeca
CobaltStrike
8360faeed3c802fbd78d0f31b14c5b3cdbf01edca8fdc486994d2cc1c2cd70a4
CobaltStrike
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210407-7dc8adr72j/
Unpacked files
SH256 hash:
68081a431396a2876a1f57b55ebfc2bfb762abcc4feb5d29e9b0415ef415d10e
MD5 hash:
825fbab710f4bfbc1a0c80a56b7cf7f0
SHA1 hash:
25110bff4e00ad80ca26bb38c084bbe6c2dc3ba4
Link:
https://www.unpac.me/results/3e9dd681-14ee-41e2-adf5-2960350d39db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CobaltStrike
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68081a431396a2876a1f57b55ebfc2bfb762abcc4feb5d29e9b0415ef415d10e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132964/

Comments