MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e
SHA3-384 hash: f87ef90b9518e3b68a7f84cb76d325e4dcc0e90d50014518d303f5f9f95dd3ff4e0419bf37e2b8c20d11bce310dce902
SHA1 hash: b246ed8055ad9e7bb760795e054224d406ec8a20
MD5 hash: 06b8feae2c9d9f2940cb9dca40d553c3
humanhash: sweet-vermont-arizona-mobile
File name:8969122ef3485df.log
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:430'487 bytes
First seen:2022-11-28 13:49:01 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:hhU0sdb34MkPGI4MpPBrCi1y05XlXNgLZRwUmm:tpki13jgLZRwUmm
Threatray 4'841 similar samples on MalwareBazaar
TLSH T12B94BE473F5869EED511F067E92CB0C235D4B52EA4A48AD8B6F9D0F519F802228F43E7
Reporter 0xToxin
Tags:CobaltStrike PerceptionPoint ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
IL IL
Vendor Threat Intelligence
Detection(s):
Win.Trojan.CobaltStrike-7917400-0
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6384bc58090ea3f04934bb5a/reports/938d92f5-f815-4388-bdd1-5f877d85a4a9/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
CobaltStrike, Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122591
Signature
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected CobaltStrike
Yara detected MetasploitPayload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755315 Sample: 8969122ef3485df.log.ps1 Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 8 powershell.exe 30 2->8         started        process3 dnsIp4 35 159.223.12.60, 49700, 49701, 49702 CELANESE-US United States 8->35 11 cmd.exe 1 8->11         started        13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        17 conhost.exe 8->17         started        process5 process6 19 net.exe 1 11->19         started        21 conhost.exe 11->21         started        23 net.exe 1 13->23         started        25 conhost.exe 13->25         started        27 nltest.exe 1 15->27         started        29 conhost.exe 15->29         started        process7 31 net1.exe 1 19->31         started        33 net1.exe 1 23->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 13:02:55 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 41 (17.07%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=soypdeari2feqzgbcs6lz7cv6rqofr4jwfhkre6cntsfbu6cdkpa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f
CobaltStrike
0d9f996114a86552cdbafee84d66a90cc99dafd1675f0f97351f9a75c64affec
CobaltStrike
464dcd506637588f1640550f411af1a56a1d9784e61e43e9bcf247b3243211e8
CobaltStrike
6bccded92524b7b072f25340bea78ec1cacb89ca2a5fc32a27508af201b146ab
CobaltStrike
8befc91b605e2dd3ee8917f6e4b2ab943ec7900d257b704955c2defc0328b4d8
CobaltStrike
b6f286ea918a8be8d76bb9514382d346ec5683fcb0a53050baa300108551adee
CobaltStrike
c9519b21f42e1b7c5a9a65cd0636f39eca080fffe536267c1bde08027aaba673
CobaltStrike
d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c
CobaltStrike
f6f92927f5a3032e9d044479470f3e8d12cc6987aad70c0bce06541b557ee9dd
CobaltStrike
+ 4'831 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/221128-rq95aaad26/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Cobaltstrike
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments