MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95fd468aa6e1b5da8ff6cadd6d509f2462658384c5ab2fd8d93bdfbe6ea3f0a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95fd468aa6e1b5da8ff6cadd6d509f2462658384c5ab2fd8d93bdfbe6ea3f0a1
SHA3-384 hash: afe07983b446727733262e638a56fe0ccde8cc5aaf7def205db142e3a6f867f84e5fda3bd07881e02ffca19fedddd5c8
SHA1 hash: e968557569d5fb32b6772cbbc737a0bd3e95ee3e
MD5 hash: 4fc774f9f91c0c5ce00d759392e2fe19
humanhash: mirror-uranus-network-carbon
File name:4fc774f9f91c0c5ce00d759392e2fe19
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:17'920 bytes
First seen:2022-11-15 16:34:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 17b461a082950fc6332228572138b80c (121 x CobaltStrike, 2 x Cobalt Strike)
ssdeep 192:bDMAe4Ckj19RZZ6wpSfu1bKcq5uHj7khBDSeKNH4RO3rBUbOj6kxiY:bDMAoKz6WtKEj7aBDiRrbAY
Threatray 653 similar samples on MalwareBazaar
TLSH T168820B7FB64224E9C12BD17CC9EE6771ADF27522416B271F2FB8C7302E20969067D909
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.5% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4fc774f9f91c0c5ce00d759392e2fe19
Verdict:
No threats detected
Analysis date:
2022-11-15 16:37:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/275273a2-d1dd-4e8e-80ed-8f9dd3458001

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334415/
Detection(s):
Win.Trojan.CobaltStrike-9044898-1
Create hunting rule

Win.Trojan.CobaltStrike-7899871-1
Create hunting rule

Win.Countermeasure.LoaderWinGeneric-9804845-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cobalt
Link:
https://www.filescan.io/uploads/6373bfb9f75d59fef0b97a7f/reports/d1047ac9-556b-458a-918e-91f18e293208/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5db6f6cf-5d98-4bb7-9621-16a11e560ee7
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114013
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found API chain indicative of debugger detection
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/95fd468aa6e1b5da8ff6cadd6d509f2462658384c5ab2fd8d93bdfbe6ea3f0a1/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-11-15 16:35:08 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sx6uncvg4g25vd7wzlow2ue7errgla4eywvs7wgzhpp343vd6cqq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
080c2647fb26ac8576014a21591465eba5b0ee03475f70e95bc3a4caa8d3642e
CobaltStrike
2949aec1094a9ecaaef168ef50885e49226bb9b46e8c015b74bc98772ac340e6
CobaltStrike
339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502
CobaltStrike
5531524151fcf7af36ff08c7f4a1b00c2c8cd409c64ce0bc2fe022973ba16c0a
CobaltStrike
673d8268fd21825ca5f21d8b395cdcede7009b60e540cb36c46f5794626faefb
CobaltStrike
83653a93fc7d8cba1b6d9bcc7650a10b1b7f0c10ab2b1c112f9d1b7d37333051
CobaltStrike
96f1143875956621e590d05da84a3b75d498ecbf6afda44208894c2f51a8464b
CobaltStrike
d78bdef2ec67cb29a28d57e1579bb6f359d3dfcd7602d64d0673311ad83edbb2
CobaltStrike
e59cc3a94f6a5119f36c4e0b3fbe6f04cc474d0b0b9d101163dac75722c809da
CobaltStrike
+ 643 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/221115-t3n4paeg43/
Behaviour
Cobaltstrike
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/afe47f38-1974-4602-83b6-d3f7937a9ebe
Unpacked files
SH256 hash:
95fd468aa6e1b5da8ff6cadd6d509f2462658384c5ab2fd8d93bdfbe6ea3f0a1
MD5 hash:
4fc774f9f91c0c5ce00d759392e2fe19
SHA1 hash:
e968557569d5fb32b6772cbbc737a0bd3e95ee3e
Link:
https://www.unpac.me/results/b8cb46af-e916-4465-b919-12ec445ec3da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95fd468aa6e1b5da8ff6cadd6d509f2462658384c5ab2fd8d93bdfbe6ea3f0a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 95fd468aa6e1b5da8ff6cadd6d509f2462658384c5ab2fd8d93bdfbe6ea3f0a1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2412988/
Cape
Cape
https://www.capesandbox.com/analysis/334415/

Comments


Avatar
zbet commented on 2022-11-15 16:34:46 UTC

url : hxxp://115.29.138.142:8008/361.exe