MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a72e28370f740e7e595134b1f53c7354665a92743a668a20ebe6cb00535e7552. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	a72e28370f740e7e595134b1f53c7354665a92743a668a20ebe6cb00535e7552
SHA3-384 hash:	61284a2b7d11bbeaf9ca3ebbdad11103f91b17041b7183e8f42562f5bdf55d64d4e10d82a92ba967f088b59b8940b5ec
SHA1 hash:	11f1a8b3ce6cae2b7cbc87a326cb64cc930dae9b
MD5 hash:	2952738c866766dba839c3ca8c7926ae
humanhash:	nitrogen-india-connecticut-vermont
File name:	2021成都世界大学生运动会系统安全补丁.doc.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	214'528 bytes
First seen:	2022-04-26 07:46:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8a915ba105a6c2920c8661c751ea3ff5 (1 x CobaltStrike)
ssdeep	3072:bN5qVko6BllpftE6GEPx+Tm7StQxX1OHSVmnoWb8NaeCE/to:/q6fdtzqmeQxlQoWBs/q
Threatray	1'688 similar samples on MalwareBazaar
TLSH	T194245B1773A531F8D167C639C9920A46EB727C7647209B9F0364B37A2F332919D3AB21
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	00e86cecece4e200 (1 x CobaltStrike)
Reporter	yingxin1996
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

657

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/266677/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a window

Searching for the window

Sending a custom TCP request

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6267a3772f162d9fdf6a7bf1/reports/92f190a9-5360-404c-8140-31cb5ed27d5d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b75735c8-3ec2-49e7-bf5e-a428cc400b9a

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/983020

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a72e28370f740e7e595134b1f53c7354665a92743a668a20ebe6cb00535e7552/

Threat name:

Win64.Backdoor.CobaltStrikeBeacon

Status:

Malicious

First seen:

2022-04-26 07:47:06 UTC

File Type:

PE+ (Exe)

Extracted files:

3

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

00906f1cf709f6591880f952da59f41a3019944d23824e000592fe7de035c446

0ecf5a2c06c78f79bc20180e1be1c9e41487b5789b1af712ebb7ed6091486536

2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c

8438bfbb9c978de4f342a3ed19551f735343a9c1ed0c8610a332a83918cb5985

929fb8f4c028bab8fcb5b1f89163abbfa088fadc9555efb5f6508e09d90d6654

971c693bc67cf7b4b9655282b815bc1ba10ee937f1736ba1ef5fdb7aea392f6c

a72a126f3a637b0102c656a3308121fbcf6d8fb97841ca1a87f04a6e994fa776

bb4efe96748fcc28b827fc297d060c3ab32053cfb8ea506f8c97000debd22121

e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407

+ 1'678 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan

Link:

https://tria.ge/reports/220426-jmhxmabfa3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Cobaltstrike

Malware Config

C2 Extraction:

http://203.25.208.35:8852/Adapt/sysadmin/DV6QDW1LI5

Unpacked files

SH256 hash:

a72e28370f740e7e595134b1f53c7354665a92743a668a20ebe6cb00535e7552

MD5 hash:

2952738c866766dba839c3ca8c7926ae

SHA1 hash:

11f1a8b3ce6cae2b7cbc87a326cb64cc930dae9b

Link:

https://www.unpac.me/results/bc7709b9-d032-4d5c-a13d-e2c300f92af0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a72e28370f740e7e595134b1f53c7354665a92743a668a20ebe6cb00535e7552

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/266677/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample