MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 784bda4b3f1a0aa52eb077984ceccbe3724c9d592a99a26ef0134146e6523980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 784bda4b3f1a0aa52eb077984ceccbe3724c9d592a99a26ef0134146e6523980
SHA3-384 hash: cd707b34fba9818d3df5bb4f9e4905b9f24f07eb97d9fe7df1a521d936203f2bf30f71ef86043d0b56c65f04c1a093c6
SHA1 hash: 9a18f5f9af0da80df11829b33652f81d91c07210
MD5 hash: cf33fe84163bcc57eb3744c2a1ebc147
humanhash: cola-wolfram-maryland-utah
File name:784bda4b3f1a0aa52eb077984ceccbe3724c9d592a99a26ef0134146e6523980.bin
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:16'384 bytes
First seen:2020-09-10 08:54:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:Q/0Ilezf1yNkAs1rBK1jDJgD/1/j46pM83Rxn:fzf1y+r1d62D/1/je8hxn
Threatray 1'171 similar samples on MalwareBazaar
TLSH C4721941EBFC161BCEED1A3C24AB120A6BF3AB57AC81E34F1CE0552895133E0A9517F5
Reporter JAMESWT_WT
Tags:154.92.16.126 CobaltStrike

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58334/
Detection(s):
Win.Trojan.CobaltStrike-7913051-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/462985
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 283892 Sample: Vd535nYaqJ.bin Startdate: 10/09/2020 Architecture: WINDOWS Score: 56 13 db5p.wns.windows.com 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 7 Vd535nYaqJ.exe 3 2->7         started        signatures3 process4 process5 9 dw20.exe 22 6 7->9         started        11 conhost.exe 7->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/784bda4b3f1a0aa52eb077984ceccbe3724c9d592a99a26ef0134146e6523980/
Threat name:
Win32.Trojan.Rozena
Create hunting rule
Status:
Malicious
First seen:
2020-07-23 08:50:33 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
08649fecb4d65bc7583496f888b9dd72da2024f30bbd4261ad6db6d19c9a1fe7
CobaltStrike
0a0ac8e138fdddc9e18357375ff41da88e340ac4dfc225d2d60976607dac8d8c
CobaltStrike
2331837cf27d223a23b000cdf14f026c383a628ae69d516726b19fcb9424359a
CobaltStrike
3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8
CobaltStrike
68127a3666833ba7ab999e65ed3c94b02f6fded7b3d468cecc3895ef340ef833
CobaltStrike
757de1bfe2ba8c069cad8938b02383d54fbc1ed0823ca0f8374c34ae12ee0ce8
CobaltStrike
997de5ed7182657e00985a8b1e5f91656a8d7ad171c504780c5edbdda5fd5835
CobaltStrike
b3f42f7a9747edcd9d13cab3d0a41b3e0d3cde5a5548f5328b5fcf2f3e068d85
CobaltStrike
e304360ae3cd976383d8593e91f3f3bb95ab4f56f90d281e390e64b9f9b45a10
CobaltStrike
ed1640ac6b131e600ada39bbd4453cabaea4375bd1308ff07bcf6630d6b38daa
CobaltStrike
+ 1'161 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit
Link:
https://tria.ge/reports/200910-kqf3aam4nn/
Behaviour
Metasploit family
Malware Config
C2 Extraction:
http://154.92.16.126:7779/ZWy2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CobaltStrike
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/784bda4b3f1a0aa52eb077984ceccbe3724c9d592a99a26ef0134146e6523980

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1303645607861551111?s=20
Cape
Cape
https://www.capesandbox.com/analysis/58334/

Comments