MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f025dd00904f86d66fce2db647d50f08a2bded6a13cac535e7d55127dfdc850. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cobalt Strike

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 5 File information Comments

SHA256 hash:	9f025dd00904f86d66fce2db647d50f08a2bded6a13cac535e7d55127dfdc850
SHA3-384 hash:	350b135f86ce75fbb9d862d3d9c0ebbad2f5d1e516d533f489749fffc0f85c0ac5320f55eca58e6f5089c5dfb56ab728
SHA1 hash:	bfcae0faa60506cc9a8dd4dcdc0b2cfdc33c2142
MD5 hash:	0d24e99b74a85006341b95679a819117
humanhash:	mexico-bravo-snake-london
File name:	Untitled-1.exe
Download:	download sample
Signature	Cobalt Strike Create hunting rule
File size:	259'314 bytes
First seen:	2024-12-16 18:33:32 UTC
Last seen:	2024-12-16 18:34:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e6c639e3275d54b1d55203d288591be2 (1 x Cobalt Strike)
ssdeep	3072:wO3F6NIO56cMVr8RqrH+MG9JoR12VQia29TzO1qPZg6QRaM6UjeOaXuiWFEx5hBY:wOGIKnIH+TYeQ9o5LfuNWBY
Threatray	540 similar samples on MalwareBazaar
TLSH	T10A447C85FBC5ACEBC6051235899B43793338FAD017875B271D29B3342D27AE0EE86647
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	smica83
Tags:	Cobalt Strike CobaltStrike exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
120.46.56.20:59823	https://threatfox.abuse.ch/ioc/1357407/

Intelligence

File Origin

# of uploads :

# of downloads :

671

Origin country :

Vendor Threat Intelligence

Malware family:

meterpreter

ID:

File name:

Untitled-1.exe

Verdict:

Malicious activity

Analysis date:

2024-12-16 18:36:30 UTC

Tags:

meterpreter backdoor cobaltstrike

Link:

https://app.any.run/tasks/e4a5bceb-597c-44ba-b4b2-293d2bab50f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.DropperX-gen.23690.12277.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67607498653a8698dfd5725a

Tags:

cobaltstrike emotet cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug exploit overlay

Link:

https://www.filescan.io/uploads/6760729f2724f75c43095592/reports/ea3edfb0-3f65-4588-8751-b63e6ed54032/overview

Verdict:

Suspicious

Labled as:

TR/AD.MeterpreterSC

Link:

https://www.hybrid-analysis.com/sample/9f025dd00904f86d66fce2db647d50f08a2bded6a13cac535e7d55127dfdc850

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/7e9735cb-091c-45d4-9614-cc19aec85689

Result

Threat name:

CobaltStrike, Metasploit

Detection:

malicious

Classification:

troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1576315

Signature

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected CobaltStrike

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Score:

12%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/9f025dd00904f86d66fce2db647d50f08a2bded6a13cac535e7d55127dfdc850

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f025dd00904f86d66fce2db647d50f08a2bded6a13cac535e7d55127dfdc850/

Threat name:

Win64.Backdoor.Meterpreter

Status:

Malicious

First seen:

2024-12-16 18:34:04 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t4bf3uajat4g2zx44lnwi7kq6cfcxxwwue6kyu26pvkre7p5zbia._file

Verdict:

malicious

Label(s):

metasploit

cobaltstrike

Cobalt Strike

9ce4422a330102085b11c8f4358974048f4da66721f21c19aff85d02462206ed

Cobalt Strike

9f025dd00904f86d66fce2db647d50f08a2bded6a13cac535e7d55127dfdc850

Cobalt Strike

9fbfdbce59dcbe7cd8b3073d6e3445abbfaddf205b5973600f3ff6f666501b77

Cobalt Strike

c30fc17df989f401a1518088a58bef58c6e0ee7b91960452a547c87af9cda957

Cobalt Strike

error

Cobalt Strike

+ 530 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/241216-w7q5ysxmbz/

Verdict:

Suspicious

Tags:

cobalt_strike

YARA:

n/a

Link:

https://app.threat.zone/submission/7925f9e4-7623-481f-95dd-0f417019eb3c

Unpacked files

SH256 hash:

9f025dd00904f86d66fce2db647d50f08a2bded6a13cac535e7d55127dfdc850

MD5 hash:

0d24e99b74a85006341b95679a819117

SHA1 hash:

bfcae0faa60506cc9a8dd4dcdc0b2cfdc33c2142

Link:

https://www.unpac.me/results/a30de2fd-0e00-4fc2-98eb-518fb110b91b/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high
CHECK_TRUST_INFO	Requires Elevated Execution (uiAccess:None)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample