MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545
SHA3-384 hash:	35adad63787e7fb53d06c66a01aea39295e5d3cff5ba8c5720a6164a02450adea0f68cc35808847e6099b273c73e0cde
SHA1 hash:	798bb903cc90cd26edc1ede15f3de46f4b53c6ff
MD5 hash:	13dee6e2944d670cd81858e119f7d530
humanhash:	robert-georgia-wyoming-william
File name:	9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	944'640 bytes
First seen:	2021-04-10 02:53:41 UTC
Last seen:	2021-04-10 03:42:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6d204c07b97d1a8d6f9a522ea9d0e681 (1 x CobaltStrike)
ssdeep	12288:ayprfIpD0WMzMdaWUcYXDZ9SRM8FySuv26qXcJUIVdmWq:zAoZlpcYV8Rt5uua
Threatray	684 similar samples on MalwareBazaar
TLSH	D215E134AC8A3274E574D2FA45F3D4B7737334511A331B4B8A6B17632E22294AF2B5C9
Reporter	Anonymous
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

664

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545.zip

Verdict:

Suspicious activity

Analysis date:

2021-04-09 09:06:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c362dbb7-97c9-4aa2-aba6-32358e882511

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/133468/

Detection(s):

SecuriteInfo.com.Variant.Ulise.193084.28068.26770.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Creating a window

Launching a process

Modifying a system file

Sending a custom TCP request

Sending a UDP request

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/671919

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Early bird code injection technique detected

Extracts suspicious resources from PE file (packer detected)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Writes to foreign memory regions

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545/

Threat name:

Win64.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-04-08 19:44:01 UTC

AV detection:

17 of 48 (35.42%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

1c8de01df040c973b37ae5ce8e1bb523e1ba24a9c25263706022f9a9894a2e50

CobaltStrike

452363ce4a4695a985d5a6200de2b43692f7e0d4df11f0b30b42fc78a0cc9440

CobaltStrike

84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252

CobaltStrike

8fabea95cbfe1da521dfcd7880ec3301a3a32175741680d8c1a8acacc0199eb7

CobaltStrike

9d0cc73772d79a0561d03db4e6aca9fad9b125afbbc7f2b4f7f3df25eeed56a0

CobaltStrike

a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11

CobaltStrike

cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c

CobaltStrike

dbafbe9edfdac67a781756a6970a7341fd5401b0914fff7e3e8136cff0426fc5

CobaltStrike

f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d

CobaltStrike

+ 674 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan

Link:

https://tria.ge/reports/210410-rcdecpn25j/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Executes dropped EXE

Cobaltstrike

Malware Config

C2 Extraction:

http://106.117.252.172:443/jquery-3.3.1.min.js
http://111.62.79.149:443/jquery-3.3.1.min.js
http://121.29.54.59:443/jquery-3.3.1.min.js
http://113.137.62.36:443/jquery-3.3.1.min.js
http://111.19.244.43:443/jquery-3.3.1.min.js
http://116.177.248.23:443/jquery-3.3.1.min.js
http://122.246.6.14:443/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545

MD5 hash:

13dee6e2944d670cd81858e119f7d530

SHA1 hash:

798bb903cc90cd26edc1ede15f3de46f4b53c6ff

Link:

https://www.unpac.me/results/7901c961-dbf6-4afb-96dc-82634eec9284/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

CobaltStrike

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/133468/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample