MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9edcf9664940435399ce1093902470cd617994b5b1d502fdf17800329ac18242. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	9edcf9664940435399ce1093902470cd617994b5b1d502fdf17800329ac18242
SHA3-384 hash:	a90b1036e7c48b5871749e7e860647fb4604bafce67b22bcd0da58e513c29770065812baa232a3b08c4730bb55fdb1cf
SHA1 hash:	d57823906ddf5697bf96fe2e985d93513de4bee9
MD5 hash:	2bd9c0ae977d28d89bc7e590e0996274
humanhash:	shade-texas-ohio-cardinal
File name:	9edcf9664940435399ce1093902470cd617994b5b1d502fdf17800329ac18242.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	8'474'968 bytes
First seen:	2021-07-23 02:13:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a3ad6d92eab8f06b07d3158ef496dc72 (1 x CobaltStrike)
ssdeep	196608:0E4ndaonsp7CSJ9onJ5hrZEKte9tGPqKvTbH4v1V5cWF9E:0E4Qonsp799c5hlEKdPNv3YjZY
Threatray	470 similar samples on MalwareBazaar
TLSH	T1088633483432B063CBE4543216FA8370E6E1BCE6AF2355395CAA339547FBBC56FA5016
dhash icon	e04c96374d3732cc (1 x CobaltStrike)
Reporter	r3dbU7z
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

492

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9edcf9664940435399ce1093902470cd617994b5b1d502fdf17800329ac18242.exe

Verdict:

No threats detected

Analysis date:

2021-07-23 02:16:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/16eb5587-a379-45d3-aa24-7c26d0f93383

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrike

Link:

https://www.capesandbox.com/analysis/173475/

Detection(s):

SecuriteInfo.com.Python.Downloader.48.21410.17770.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

WeSteal

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd682a85-956b-453c-9a8f-80aed694443e

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/820502

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Uses known network protocols on non-standard ports

Yara detected CobaltStrike

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9edcf9664940435399ce1093902470cd617994b5b1d502fdf17800329ac18242/

Threat name:

Win64.Trojan.Shelma

Status:

Malicious

First seen:

2021-07-23 02:14:04 UTC

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

1f2b9ed45696d387c21a1a5ac0c414949cd5357d182fa3e670d9d335abeca5e4

CobaltStrike

53e4f5df0428b043d69593a2875bace25b99e5f2b9f7fc7630a4f8ef5b75251f

CobaltStrike

8559cd83983e1795b7acc80ea894f8b8f19b03ce6c119980cd6b5a63f009e4dd

CobaltStrike

b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8

CobaltStrike

ceba09dc5368ded2d7d5b62bd36fdecbd47aee8f3219abfd2ca32f31b0eba7b0

CobaltStrike

d38f78f931898d8cd152dc2e10900e784392c0a8e22e9d45f6f65827c6d17782

CobaltStrike

e463d24b09ee120b0d0b6230d24f4337a73e312a4ac7fb9a3b434ec0a805db00

CobaltStrike

f17ef984fa28df471992fd7519246ffe7349b2d0309eea9d1a11a04fe3de402c

CobaltStrike

f83ff41855709553f7f425aebd23420d3b2dd5e1e04cc7c619ba77920137ded4

CobaltStrike

+ 460 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:426352781 backdoor pyinstaller trojan upx

Link:

https://tria.ge/reports/210723-n5ebmxa89j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Loads dropped DLL

Cobaltstrike

Malware Config

C2 Extraction:

http://124.70.101.248:1008/GPuQ
http://124.70.101.248:1008/match

Unpacked files

SH256 hash:

9edcf9664940435399ce1093902470cd617994b5b1d502fdf17800329ac18242

MD5 hash:

2bd9c0ae977d28d89bc7e590e0996274

SHA1 hash:

d57823906ddf5697bf96fe2e985d93513de4bee9

Link:

https://www.unpac.me/results/ab2bffd7-a950-479e-b286-807c438696c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9edcf9664940435399ce1093902470cd617994b5b1d502fdf17800329ac18242

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/173475/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample