MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578
SHA3-384 hash: a8c62549fa885f7800c1c7a3c19f913fab16cf3a7d2f50813db9fe3b51b2c208e9a16dd5805520288ea981ea12382371
SHA1 hash: e8f2847b2bc4e1585f47a46161c192caf3978d02
MD5 hash: c1e722db229bd6dd596663f6f08aa654
humanhash: hotel-queen-quebec-uranus
File name:!.bin
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:5'479'608 bytes
First seen:2021-11-11 18:25:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a2c1f4d5eeaf95bdec6a6d4cd9f09091 (3 x CobaltStrike)
ssdeep 98304:Laj1Fpo79rrN12R6qyBQPnRNJe1B+XK6bFfVJ9FevDYMeBFh5iFIRv2Vb81+KpI:Gpo7Rv2R67GRNJpHnedeR5U81+5
Threatray 37 similar samples on MalwareBazaar
TLSH T104462391F191D5D0ED6A4931D422DFF860153ECBD6AC189F278AFE1139B2B90E92F20D
File icon (PE):PE icon
dhash icon d8d0a9ada59cc080 (4 x AgentTesla, 4 x RedLineStealer, 2 x Formbook)
Reporter KodaES
Tags:CobaltStrike exe malicious pyinstaller


Avatar
KodaES
https://www.virustotal.com/gui/file/6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578/detection

https://analyze.intezer.com/analyses/0e4230c2-dacf-4e3d-bf7e-1a112c25bb81/sub/6dc64d87-28df-4871-afd4-88bf83403d8c

Intelligence

File Origin
# of uploads :
1
# of downloads :
633
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PyInstaller
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205106/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cobra overlay packed
Link:
https://www.filescan.io/uploads/618d603d175442ca93aca0c8/reports/88cc8255-2e47-400c-a147-707411447fe6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e4230c2-dacf-4e3d-bf7e-1a112c25bb81
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/887708
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578/
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
01f5215f845fe6b9e7c479437f95431c82cadb8b832c681b57ac1be6b66fcf43
CobaltStrike
19b63b2152c3db2a234d2ffec83f8f05fce9986829352779a0a60d1c1f3bf2ae
CobaltStrike
3938467f9676ae5d8907f3b10d5f7a34257f2981165feb61fefae8b6574451bc
CobaltStrike
3dcdb90a6140612a5ca5e3a3e7efbc82c43766355399965a200a5753fd1273ad
CobaltStrike
485fcf4c2834e20d71b6765eccd79f6b0880d6a9fdc5d3e519a943862e9b8246
CobaltStrike
a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037
CobaltStrike
b2c422f242eae9bc5c6909f91b6438258fe90b6959ed1c8730836c2df6be3d81
CobaltStrike
d1483b3180344ec09555db148cc7c21439fef002124bfd7ee74150f0be138375
CobaltStrike
ea1213c0a684662e8305cfe1c6eeebbb12a9d1404e7571438d3730cc1df1caab
CobaltStrike
f42c71d191748551be0bbb356e4dc638c60fbdc906e7d6536ed4512c5c7eab3e
CobaltStrike
+ 27 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor pyinstaller trojan
Link:
https://tria.ge/reports/211111-w269zsbhb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Cobaltstrike
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://101.35.100.211:58888/bEIm
Unpacked files
SH256 hash:
6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578
MD5 hash:
c1e722db229bd6dd596663f6f08aa654
SHA1 hash:
e8f2847b2bc4e1585f47a46161c192caf3978d02
Link:
https://www.unpac.me/results/e6ce045b-e29a-4cf3-bbe8-91af2faca02c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b88286b240db5630c98d895fd188d079b4a88790dee601645afab7ae28cc578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205106/

Comments