MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88e7b17b889fe2b623121b8e2bba6317979bd79885536b21524e94797b3ed36c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88e7b17b889fe2b623121b8e2bba6317979bd79885536b21524e94797b3ed36c
SHA3-384 hash: 8b8e739e0ca3488006f64a0d345ca634d53cd9bae9e0834c9e2084a0de5104099d5d81d36a603dddb1dd400ac3da45f6
SHA1 hash: bac427a8fe8d8d5c3337d29af12362ac50a3ecbb
MD5 hash: 0c1efbe65c5665d463f8fcc73ec7beba
humanhash: undress-failed-three-asparagus
File name:88e7b17b889fe2b623121b8e2bba6317979bd79885536b21524e94797b3ed36c
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:5'446'292 bytes
First seen:2020-08-31 13:08:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f9d4e4402b24826f24da78ca7ab0442f (2 x CobaltStrike)
ssdeep 98304:aMpXXOTaHk1pCODv4phqvBfmhwnJBybFnlOtc35x4CnotnbtFhur2WtdSGU:aRT2Apuhqv1bn37m+VBDdqdu
Threatray 35 similar samples on MalwareBazaar
TLSH 2C46336C766004BEC41945749EF2C43A4733B8760378DBA647D8A7523F2BB617E2A339
Reporter JAMESWT_WT
Tags:101.132.33.79 CobaltStrike

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53548/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Sending an HTTP GET request
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/455491
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88e7b17b889fe2b623121b8e2bba6317979bd79885536b21524e94797b3ed36c/
Threat name:
Win64.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2019-12-17 12:37:12 UTC
File Type:
PE+ (Exe)
Extracted files:
606
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdt3c64it7rlmiysdohcxotdc6lzxv4yqvjwwiksj2khs6z62nwa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
00383e0cef95de02bac4a4725234f5430202e33f1d80b1dd299d682590e6d2f9
CobaltStrike
3d30f3e545110a115ed70bb765354c8b3a7cffa96440f0ea45ee819c71ccb8e9
CobaltStrike
44d961f8647d856ae040bf6c7797f1edee4712a1af7396776560f2aeafea6434
CobaltStrike
647445a04c0d58e00c8e81c5f7393b183953670664fd34e10ed15e13a2eac775
CobaltStrike
71bb29dfc07190aeace9d750fcb2e9a66a8abebab3c6d2c40eb0b3ce93e4c36f
CobaltStrike
81429537eaee5bbddb85975b66d4726bc8f80daec6167a5d3e796ea377dd3fa6
CobaltStrike
83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475
CobaltStrike
ceba09dc5368ded2d7d5b62bd36fdecbd47aee8f3219abfd2ca32f31b0eba7b0
CobaltStrike
d38f78f931898d8cd152dc2e10900e784392c0a8e22e9d45f6f65827c6d17782
CobaltStrike
e463d24b09ee120b0d0b6230d24f4337a73e312a4ac7fb9a3b434ec0a805db00
CobaltStrike
+ 25 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor family:cobaltstrike
Link:
https://tria.ge/reports/200831-fexzeygf6n/
Behaviour
Suspicious use of WriteProcessMemory
JavaScript code in executable
Loads dropped DLL
Cobaltstrike
Malware Config
C2 Extraction:
http://101.132.33.79:4527/jquery-3.3.1.min.js
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/88e7b17b889fe2b623121b8e2bba6317979bd79885536b21524e94797b3ed36c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53548/

Comments