MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bf4965b4daccbf2252291b215630adc8eb345038e48b63ef3e92e9af35cf1ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bf4965b4daccbf2252291b215630adc8eb345038e48b63ef3e92e9af35cf1ee
SHA3-384 hash: 0d24ab5d70040a2714d27886afd3dd2233ce42801097fe21f1cc43e2755daf32ebba87d86d3ee8669e0b6845ed70521c
SHA1 hash: 71f2e4fca94d7e9a6a54f69839a5c0dd00b61219
MD5 hash: 1f836bc2e7c377adc571316c6d6dbd79
humanhash: lion-mars-double-california
File name:csrabbit.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:14'336 bytes
First seen:2021-02-15 16:32:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep 192:CHSykZahxHn9QgyBtX4SR4wefaNoI42oRK/SjN7AGY:uSykyDyLXrRwaNB4AyAp
Threatray 85 similar samples on MalwareBazaar
TLSH 1A521A3AE74338F2F82A8574A4EABAFE6F77D3134E114809CED4D94468174369D07A4E
Reporter r3dbU7z
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
476
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
csrabbit.exe
Verdict:
No threats detected
Analysis date:
2021-02-15 16:44:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75283c2f-2aa8-4829-9702-d8477c5cde43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117184/
Detection(s):
SecuriteInfo.com.Crypt5.BLLV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a UDP request
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/608204
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bf4965b4daccbf2252291b215630adc8eb345038e48b63ef3e92e9af35cf1ee/
Threat name:
Win32.Trojan.Rozena
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 23:44:46 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
2a9cc30f7d56b3534b928749f86e7ca5d95d41086087ca1e34e021d0a2899d19
CobaltStrike
39dca3fbd2f4684b95c0e46c833dcf6d95a0d7b53ede8e5a0a62a1d04bc37e0b
CobaltStrike
57a395267a680f4909efd096007d6ec86254502ae1c33a70733f0ccef85c4791
CobaltStrike
57c01087b31f6ee1ce41c32ab914d67f690132535e63e3ca832e69aa6b72971b
CobaltStrike
af2bc53c341eaa7f66aeb3e4ebf060b686ea155c53dabde46b5be66cbd43d803
CobaltStrike
c83163a6e61b2bf3852b426f8ccccac4044d57b2b4514125624632e836f51660
CobaltStrike
caa6e314a8ebbba3eadc8a0cd77e70e794928d24e6be19d7f2891383540440cb
CobaltStrike
cec36e8ed65ac6f250c05b4a17c09f58bb80c19b73169aaf40fa15c8d3a9a6a1
CobaltStrike
f0bcf90c8a887b662d9413e62ff453dea774e520df15a6651eacad17eda434ac
CobaltStrike
f408d79dcfcd22dffa9556281051117f871b4c3935a1600e12634a7f078cfc0d
CobaltStrike
+ 75 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor trojan
Link:
https://tria.ge/reports/210215-xl5vdrfcq2/
Behaviour
MetaSploit
Malware Config
C2 Extraction:
http://149.248.6.193:4000/NzHL
Unpacked files
SH256 hash:
9bf4965b4daccbf2252291b215630adc8eb345038e48b63ef3e92e9af35cf1ee
MD5 hash:
1f836bc2e7c377adc571316c6d6dbd79
SHA1 hash:
71f2e4fca94d7e9a6a54f69839a5c0dd00b61219
Link:
https://www.unpac.me/results/f38d14ac-8e15-4b4a-aa76-a6c0bd1dfce6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bf4965b4daccbf2252291b215630adc8eb345038e48b63ef3e92e9af35cf1ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DarkHydrus_Jul18_5
Create hunting rule
Author:Florian Roth
Description:Detects strings found in malware samples in APT report in DarkHydrus
Reference:https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/117184/

Comments