MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad
SHA3-384 hash: ca21b45a6c78a3aa9458e98c01a8d5f24cb8c05c59a83f82d8bd05deffa7b6c86b3b37a6cd9dc636cb1c397e3c7cea18
SHA1 hash: 232af3b6a96ead34c18607a81b5f7af14763195a
MD5 hash: 76de16ed705561ad6ff55fd578660c91
humanhash: island-nevada-december-montana
File name:75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:2'189'056 bytes
First seen:2021-07-12 07:09:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash db7948f7bb94c20ceb8e0b74d33d72f3 (2 x CobaltStrike)
ssdeep 49152:uH3vF85FshhD4ggDZ7tPBdhC4dQnnwVc64u2:AFWPBFdQnnwG6e
Threatray 338 similar samples on MalwareBazaar
TLSH T10CA57C03F79588E7C499C23892576322B771FC89473AB3AB5BD45E312E32B905F6D284
Reporter JAMESWT_WT
Tags:BIOPASS CobaltStrike exe signed

Code Signing Certificate

Organisation:Happytuk Co.,Ltd.
Issuer:Symantec Class 3 SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2018-09-06T00:00:00Z
Valid to:2021-10-05T23:59:59Z
Serial number: 0ed4df1033393ff2af41c571a6aa19d7
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f78de1e59df2eac7901d4fa7d66e9818204a5c4c9b630bb2ff9439c2dea8b5b5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
515
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170948/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.30348.2312.31375.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eafd5bf0-722a-411d-a132-79830e8d856a
Result
Threat name:
CobaltStrike Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/814627
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Gathers network related connection and port information
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Yara detected CobaltStrike
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447036 Sample: WhQZ6UbCEY Startdate: 12/07/2021 Architecture: WINDOWS Score: 56 104 Found malware configuration 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 5 other signatures 2->110 9 luac.exe 17 2->9         started        13 WhQZ6UbCEY.exe 26 2->13         started        16 Silverlight.exe 9 2->16         started        18 2 other processes 2->18 process3 dnsIp4 92 45.154.13.94, 443, 49724, 49727 BOHOBEACHCLUBSAHN Netherlands 9->92 94 lualibs.oss-cn-hongkong.aliyuncs.com 47.75.19.154, 49718, 49746, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 9->94 120 Gathers network related connection and port information 9->120 20 cmd.exe 1 9->20         started        24 cmd.exe 9->24         started        26 cmd.exe 1 9->26         started        30 2 other processes 9->30 96 eu-central-1.oss-acc.aliyuncs.com 47.254.186.176, 49720, 49750, 49755 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 13->96 98 softres.oss-accelerate.aliyuncs.com 13->98 100 2 other IPs or domains 13->100 68 C:\ProgramData\lua\luac.exe, PE32 13->68 dropped 70 C:\ProgramData\lua\lua.exe, PE32 13->70 dropped 72 C:\Users\user\AppData\...\Silverlight.exe, PE32 13->72 dropped 80 7 other files (none is malicious) 13->80 dropped 74 C:\...\microsoft_defaults.exe, PE32 16->74 dropped 76 C:\5a70dbc53fcf0baade86ff\install.res.dll, PE32 16->76 dropped 78 C:\5a70dbc53fcf0baade86ff\install.exe, PE32 16->78 dropped 28 install.exe 7 16->28         started        file5 signatures6 process7 dnsIp8 90 127.0.0.1 unknown unknown 20->90 112 Uses netstat to query active network connections and open ports 20->112 114 Uses ipconfig to lookup or modify the Windows network settings 20->114 116 Gathers network related connection and port information 20->116 45 4 other processes 20->45 32 lua.exe 24->32         started        36 conhost.exe 24->36         started        47 4 other processes 26->47 38 microsoft_defaults.exe 15 28->38         started        41 coregen.exe 28->41         started        49 2 other processes 28->49 43 WMIC.exe 1 30->43         started        51 6 other processes 30->51 signatures9 process10 dnsIp11 82 softres.oss-accelerate.aliyuncs.com 32->82 84 oss-acc-allline.aliyuncs.com.gds.alibabadns.com 32->84 88 4 other IPs or domains 32->88 102 Gathers network related connection and port information 32->102 53 cmd.exe 32->53         started        86 g.msn.com 38->86 64 C:\Users\user\AppData\...\DefaultPack.EXE, PE32 38->64 dropped 66 C:\Users\user\AppData\...\DefaultPack[1].EXE, PE32 38->66 dropped 56 conhost.exe 41->56         started        file12 signatures13 process14 signatures15 118 Gathers network related connection and port information 53->118 58 NETSTAT.EXE 53->58         started        60 findstr.exe 53->60         started        62 findstr.exe 53->62         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad/
Threat name:
Win64.Trojan.Cometer
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 12:29:08 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oxqd6qfarcidk6neg3anr2f4hugxdtzjikwxspgjjdzwqzvc4gwq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
06a2955307b8c26009b441754df7d0c94d3a913b0644a3c8779f592648dd1a0c
CobaltStrike
0adcf0b5e5216f4ac6fe82d4e2c7e351845cfaf6717552aaa0c80d643ee9f2ee
CobaltStrike
0c4cec40fce3e0e360abaab4009f10b3d709724f074883304b004c46f99c218e
CobaltStrike
27f9ac6bd41284e86f0199eba0e1d7ad3703d04e095b0c8ae8ccf850b32365ac
CobaltStrike
5351984d7eaf9464f27c202f94b6475ffb73904191c973d7c737a0f3cdfbde0e
CobaltStrike
7566ae70559b61077911e17564dd470be33abcf8e725352f546a731af43e5297
CobaltStrike
c4ff632696ec6e406388e1d42421b3cd3b5f79dcb2df67e2022d961d5f5a9e78
CobaltStrike
dbcb927d98301d49758b5a6e419e618acb92ecef3bef20c99374f5fde154eb1d
CobaltStrike
e46873324ee44e0f0b2b3ea745abe5f1b7875189bc04d9abc86330620ab97c51
CobaltStrike
f9593d758990b1ed70a1f537ca7aef8006753af1039768c8f1047a7319d1633d
CobaltStrike
+ 328 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:metasploit botnet:305419896 backdoor spyware stealer trojan
Link:
https://tria.ge/reports/210712-mgq7w2m6vj/
Behaviour
Gathers network information
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Drops file in System32 directory
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Cobaltstrike
MetaSploit
Malware Config
C2 Extraction:
http://45.154.13.94:443/F8JD2R
http://45.154.13.94:443/updates
Unpacked files
SH256 hash:
75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad
MD5 hash:
76de16ed705561ad6ff55fd578660c91
SHA1 hash:
232af3b6a96ead34c18607a81b5f7af14763195a
Link:
https://www.unpac.me/results/01b26327-06d0-4f7f-aead-347ddab26c1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170948/

Comments