MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9122991758a93293f0ec4db1de3a04927f583b08751a553d235d5fdc1b254bd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	9122991758a93293f0ec4db1de3a04927f583b08751a553d235d5fdc1b254bd4
SHA3-384 hash:	1cd34c93053a6ceb64e5a23f76d951d6af30f4b1e1655ced3083ca1ad0193ddd42d6bc08d1e9b1c5f7be7c93ace6b134
SHA1 hash:	f972b34d4c6f5eef0b463891b4bfc0ef75db191c
MD5 hash:	99d14b1da9c6a8aeca28a82918d0e316
humanhash:	july-montana-beer-helium
File name:	knur.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	885'760 bytes
First seen:	2022-08-21 18:16:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	244e3a78ff9349b7446b2bf8a31d71d4 (1 x CobaltStrike)
ssdeep	24576:iJZg2FdWMxqy3fi7QRKMFJIOs36qB0c7hMY:OndW84vcsK42Y
Threatray	1'841 similar samples on MalwareBazaar
TLSH	T16515AE57F7B853F1D066C53AC4128B5AE7B1BC614B31C38F52A1A75B1F336A14E2A322
TrID	90.1% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 4.8% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.9% (.EXE) OS/2 Executable (generic) (2029/13) 0.9% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter	TheDFIRReportX
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

559

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

knur.exe

Verdict:

No threats detected

Analysis date:

2022-08-21 18:16:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b1dd2f49-1254-4a68-ba91-932ee6b3466d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300051/

Detection(s):

SecuriteInfo.com.Win64.Kryptik.CYZ.32477.1052.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/29567/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckScreenResolution

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

explorer.exe greyware keylogger packed

Link:

https://www.filescan.io/uploads/630277163cbb13868a6baffc/reports/91483d96-524d-41a1-913e-5b46d10d9421/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b32e33b7-8dc5-426b-aaa1-f13c2bf47936

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1055120

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9122991758a93293f0ec4db1de3a04927f583b08751a553d235d5fdc1b254bd4/

Threat name:

Win64.Trojan.CobaltStrike

Status:

Malicious

First seen:

2022-08-21 18:17:10 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=serjsf2yvezjh4hmjwy54oqesj7vqoyiounfkpjdlvp5ygzfjpka._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

5efe564a2c779adebab8e664d524a0cfd026c8ab3a57527bd1d821245ffc2a8c

CobaltStrike

74ace0111970edf84a676c96b0c8180b2f2f6bc0a3f8e7bd1db4c9505e7e1d17

CobaltStrike

936861ea91e37611908b21310d461eb7435f2912e9a7576cee22ce22342d659b

CobaltStrike

97fbb35c5073af391068712aa31992c2d6d174c8c297baef188d687fe6f4fd62

CobaltStrike

99be525b748064edaa30caa911b1122187139c463ad29068c3ee5cf69eed774e

CobaltStrike

a7a0025d77b576bcdaf8b05df362e53a748b64b51dd5ec5d20cf289a38e38d56

CobaltStrike

a9c4eafcff0567c68919c93ddf8baa769392e92706e6b35f7b989310d70f732f

CobaltStrike

cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58

CobaltStrike

+ 1'831 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor trojan

Link:

https://tria.ge/reports/220821-ww1v1schhk/

Behaviour

Suspicious use of SetWindowsHookEx

Cobaltstrike

Malware Config

C2 Extraction:

http://josefgur.com:443/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

9122991758a93293f0ec4db1de3a04927f583b08751a553d235d5fdc1b254bd4

MD5 hash:

99d14b1da9c6a8aeca28a82918d0e316

SHA1 hash:

f972b34d4c6f5eef0b463891b4bfc0ef75db191c

Link:

https://www.unpac.me/results/75c1714f-e19e-447b-8aba-ea86926a2b60/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9122991758a93293f0ec4db1de3a04927f583b08751a553d235d5fdc1b254bd4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/300051/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample