MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9881f416f578c0e68d1bd1465811a46be30fb45a8191ba82d6d9e0a1d5dc839c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9881f416f578c0e68d1bd1465811a46be30fb45a8191ba82d6d9e0a1d5dc839c
SHA3-384 hash: cd58422ad63be1eab771ea9252d169822f167457c758e6a644e81ec99ddc4336a7e217a4073cdedb815fe427893ecb7d
SHA1 hash: 5ac3eb8cce76ada7f394526b9957416905c5e0b8
MD5 hash: b19ec1d7a82986dbeab3f166a946eee9
humanhash: friend-may-colorado-hamper
File name:b19ec1d7a82986dbeab3f166a946eee9.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:204'288 bytes
First seen:2024-09-16 11:05:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 6144:MGh/L3HpHR1dbK0rwHc9aG8gyhMRq30yeOi:MEbz1dbdZ9jhyhMUeO
Threatray 56 similar samples on MalwareBazaar
TLSH T17D1412BBB963F053DAD90E74420199D3D14C182F5A3666C1DF2922C70879B0B6AD6E3F
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:CobaltStrike exe


Avatar
abuse_ch
CobaltStrike C2:
89.197.154.116:7810

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.197.154.116:7810 https://threatfox.abuse.ch/ioc/1325262/

Intelligence

File Origin
# of uploads :
1
# of downloads :
459
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.Meterpreter.157.11320.4460.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e8111d2ebf76853bd5d4e0
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cobalt config-extracted packed packed packed upx
Link:
https://www.filescan.io/uploads/66e8111dd2758b8668ba2608/reports/eec3428d-8f7f-4720-a31d-357779ea5441/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9881f416f578c0e68d1bd1465811a46be30fb45a8191ba82d6d9e0a1d5dc839c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78ba7879-32ec-4706-885d-fff1a0d10a76
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1511808
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9881f416f578c0e68d1bd1465811a46be30fb45a8191ba82d6d9e0a1d5dc839c
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9881f416f578c0e68d1bd1465811a46be30fb45a8191ba82d6d9e0a1d5dc839c/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2024-09-16 11:06:12 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tca7ifxvpdaondi32fdfqenenprq7nc2qgi3vaww3hqkdvo4qooa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d
CobaltStrike
66fa2281567f268adefb54e91b88bfbd7a08eee6c40ff4aafa31472b8d49a3a6
CobaltStrike
7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
CobaltStrike
843ae5d44ada9651a6e8253759a53bafca37cb1b7c09544b1d56370269564c91
CobaltStrike
9750c40f706b035a90da57ec5632283c54672d21d45acfbceb1fd2370a9c9c23
CobaltStrike
acc69bb8c8d1b4fe18adf40b4f1fc59b8482004a90d36526761bfc3c5e5c41ea
CobaltStrike
ee4668d7ca1c84e11f460bf48f9e8f298bd4875862ba17f21e9deabc688b9494
CobaltStrike
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/240916-m7d1ystgpq/
Behaviour
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/77fc3823-20eb-439e-b2a1-d6912fb9daa5
Unpacked files
SH256 hash:
565deabda761c35b39e1e5561b8404fb2fd4c003d891ff2b36c3b4f2c6d569be
MD5 hash:
d08820a71d9331a228845288caa0ea78
SHA1 hash:
59be33dda68b48362b8108b1d652b7066df2b613
Link:
https://www.unpac.me/results/db02e632-8927-481a-a062-d5ee63736b9e/
SH256 hash:
9881f416f578c0e68d1bd1465811a46be30fb45a8191ba82d6d9e0a1d5dc839c
MD5 hash:
b19ec1d7a82986dbeab3f166a946eee9
SHA1 hash:
5ac3eb8cce76ada7f394526b9957416905c5e0b8
Link:
https://www.unpac.me/results/db02e632-8927-481a-a062-d5ee63736b9e/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9881f416f578/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CobaltStrike
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9881f416f578c0e68d1bd1465811a46be30fb45a8191ba82d6d9e0a1d5dc839c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 9881f416f578c0e68d1bd1465811a46be30fb45a8191ba82d6d9e0a1d5dc839c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3088362/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments