MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c195ec63793d4d4927cb5e06cd2c5771cedab32baecd2097454e3709e2748cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	8c195ec63793d4d4927cb5e06cd2c5771cedab32baecd2097454e3709e2748cc
SHA3-384 hash:	1fe81c909e1ad42cd99b3107a500a3700b9fd4ee753128fea8330f0ad915d68112ba61575df83258abd311cd7932c2e2
SHA1 hash:	0a8a99cabfdb604d49247e6dac946bf6b904b8bf
MD5 hash:	9b0401c043d529f96f5fd13a7e96ed6a
humanhash:	oven-quiet-uncle-missouri
File name:	8c195ec63793d4d4927cb5e06cd2c5771cedab32baecd2097454e3709e2748cc
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	684'034 bytes
First seen:	2020-08-31 13:12:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1e245684e6b4e9bee02f6219a15bff26 (1 x CobaltStrike)
ssdeep	12288:ZXoi98fUE5wJVOGfq6fKqTUHT3WK8IjtRXE/pw5VBgB2f+h0xs3sgXOT:8fUE5wJkSzTUHT3WK8IjtRX8Yg4C0xN3
Threatray	79 similar samples on MalwareBazaar
TLSH	A8E49D22F500C032E4D1027A87FB4BB65D2D9922572A94D7BBD0ADE84E705F27D39B1B
Reporter	JAMESWT_WT
Tags:	49.235.166.224

Intelligence

File Origin

# of uploads :

1

# of downloads :

86

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53567/

Detection(s):

PUA.Win.Packer.NspackDotnetNor-2

PUA.Win.Packer.NspackDotnetNor-1

PUA.Win.Downloader.Aiis-6803892-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Sending an HTTP GET request

Sending a UDP request

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/455528

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Drops PE files to the document folder of the user

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Uses known network protocols on non-standard ports

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8c195ec63793d4d4927cb5e06cd2c5771cedab32baecd2097454e3709e2748cc/

Threat name:

Win32.Trojan.Rozena

Status:

Malicious

First seen:

2020-08-05 19:14:00 UTC

File Type:

PE (Exe)

Extracted files:

28

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

0bcb3e0d5496e7211313a35799aa38d4b571d316014ebd2242ca8d556f9d32a3

39dca3fbd2f4684b95c0e46c833dcf6d95a0d7b53ede8e5a0a62a1d04bc37e0b

4b459c85c8425e368325d8844148e6a058d350374eb721a3da26c4e85ba26973

60b57a5e5fe515104f57a44c136e7ddaac0d72b099c3959a26493b8c47f66e3f

8a148932d87847341a5cc3e93ba144ea1332229a4334a951449b7458169533bc

a3b71dfc0235bd33cd7d9d05db130acc2d4d4852522279aab9ceb5ea9f3d0ca9

c83163a6e61b2bf3852b426f8ccccac4044d57b2b4514125624632e836f51660

d6ad7fadcb2167a24e36bb0f9e668c95183c3c224bef5775bc06c5bc71b02616

f0bcf90c8a887b662d9413e62ff453dea774e520df15a6651eacad17eda434ac

f6e04b3710044f76666468559fd2b6688ccac091284d138e461c2257c387d7d3

+ 69 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/200831-rs5q4ps4dj/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Drops file in Windows directory

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8c195ec63793d4d4927cb5e06cd2c5771cedab32baecd2097454e3709e2748cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/53567/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample