MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e
SHA3-384 hash:	9f9d3ca20f80103992e06b91ab879a6655f36df8b51ce0e17449845c39f0bd89ab0e0278edf5def27ab9204410c707a1
SHA1 hash:	87766ad5ad114c3be467fe23875431f0c98f322a
MD5 hash:	94c64b0d319d702c886a261c9ce533f4
humanhash:	oranges-freddie-nevada-cup
File name:	954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e.bin
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	363'520 bytes
First seen:	2021-07-29 07:47:52 UTC
Last seen:	2021-07-29 08:42:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0b0c4e162fa8fc0cb6af9aaef19826fc (1 x CobaltStrike)
ssdeep	6144:ki/iwt+ibsr7uwx8K9kPYL4II3/4D7HUiaPpbgbB7PJi/1zgM6P6:kmt+bSRQ57X7JJ28e
Threatray	1'016 similar samples on MalwareBazaar
TLSH	T1B374AE3093A87DEBC8038BF44C0A3E455674A423BDEA5A5FB99434B1DD537D18EFAA10
Reporter	JAMESWT_WT
Tags:	assets.switzer.com.au.global.prod.fastly.net CobaltStrike exe

Intelligence

File Origin

# of uploads :

2

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e.bin

Verdict:

No threats detected

Analysis date:

2021-07-29 08:00:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/30e8fdda-ddfd-4f6a-a7f9-f0efe23f3d11

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/174890/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46692036.27881.24008.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f164ca46-44e3-429e-8734-911197682a8f

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/823625

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: CobaltStrike Load by Rundll32

System process connects to network (likely due to code injection or exploit)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Gathering data

Threat name:

Win64.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-07-27 12:17:58 UTC

File Type:

PE+ (Dll)

Extracted files:

1

AV detection:

15 of 46 (32.61%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

1b11ae98b85bb0645abe36adcd852e6e84b51c6b5c811729f3c19f14f32d4e4f

2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c

2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9

42104ac31fe7ae7328c209007ea71dc3effb183c736a9bddcf86f690fe96df9a

673d8268fd21825ca5f21d8b395cdcede7009b60e540cb36c46f5794626faefb

9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545

cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58

e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407

+ 1'006 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:928055683 backdoor trojan

Link:

https://tria.ge/reports/210729-qa75ajmlmj/

Behaviour

Cobaltstrike

Malware Config

C2 Extraction:

http://assets.switzer.com.au.global.prod.fastly.net:443/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e

MD5 hash:

94c64b0d319d702c886a261c9ce533f4

SHA1 hash:

87766ad5ad114c3be467fe23875431f0c98f322a

Link:

https://www.unpac.me/results/02807e35-4a52-41cf-9418-87f0222ed92a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/174890/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample