MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments 1

SHA256 hash:	7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618
SHA3-384 hash:	ccb655db48930ba1da974dc69e4bc692c43b9faaf8ddac44ccd0eb81b7b1d22f4728644a321dfd41fc45c30d0e886bba
SHA1 hash:	84842f681f7640332f51e283aa8988cb37f4ff77
MD5 hash:	8e96a9977d96e47db7c33cf350338b87
humanhash:	bulldog-speaker-ten-batman
File name:	8e96a9977d96e47db7c33cf350338b87
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	2'621'808 bytes
First seen:	2021-10-27 06:55:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c5e1b3da38294e11715b25be229e737f (1 x CobaltStrike)
ssdeep	49152:PXkBqWXVR8fkWKGEg+hGUlHJgxMt/N0+kZ:P04Ux7g+hGUDgx0a+O
TLSH	T173C5236F72B87494E4929930C4A0513DABB778A54B688EFF07C1C6261E73BD0CD60E67
File icon (PE):
dhash icon	f8e2eae6b696c6cc (4 x CobaltStrike, 2 x Adware.Generic, 2 x ValleyRAT)
Reporter	zbetcheckin
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

540

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/200399/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-genTrj.22290.30119.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Connection attempt

Sending a custom TCP request

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the Program Files subdirectories

Creating a window

Running batch commands

DNS request

Transferring files using the Background Intelligent Transfer Service (BITS)

Sending an HTTP GET request

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Moving a file to the %temp% directory

Deleting a recently created file

Creating a file in the Windows subdirectories

Moving a file to the Program Files subdirectory

Moving of the original file

Enabling autorun for a service

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/6178f805db358dd15edef231/reports/cdf11688-c5d4-4b51-a98b-6d7bcbf9b080/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/08beb234-1117-44c7-b070-c55b2cfad7a8

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/877546

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2021-10-27 06:56:06 UTC

AV detection:

7 of 45 (15.56%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:426352781 backdoor trojan

Link:

https://tria.ge/reports/211027-hqcz4sabem/

Behaviour

Modifies system certificate store

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Cobaltstrike

Malware Config

C2 Extraction:

http://42.81.120.12:443/c/msdownload/update/others/2021/10/29136388_
http://111.12.28.24:443/c/msdownload/update/others/2021/10/29136388_
http://120.221.245.161:443/c/msdownload/update/others/2021/10/29136388_
http://221.180.219.232:443/c/msdownload/update/others/2021/10/29136388_

Unpacked files

SH256 hash:

7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618

MD5 hash:

8e96a9977d96e47db7c33cf350338b87

SHA1 hash:

84842f681f7640332f51e283aa8988cb37f4ff77

Link:

https://www.unpac.me/results/d3df9815-9e2b-4912-81be-e544be851a7e/

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7a51bf0527aa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/