MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946
SHA3-384 hash:	6284665461306a4e6301ce8b7f2a31cdd6a91d6795bba945727b2cb9a1feb5ed237fe48d2b624624a906e4a26a9122a5
SHA1 hash:	b45ac94e75c117e7631541d0d43cdf217ecf942a
MD5 hash:	5fd833b9a15f121c5c4f95c76048bd98
humanhash:	network-maryland-five-speaker
File name:	162_64.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	158'720 bytes
First seen:	2021-07-30 14:52:03 UTC
Last seen:	2021-07-30 15:48:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	977bd5eca4ceceed7dd81237a72aa281 (1 x CobaltStrike)
ssdeep	1536:fJxn5LX1a5BbATXnTYTx+IfAJ/Z4Kkf367Q1ymRPVntO+WulnFK/Colgt2U/nXbU:Ln9Ye+xLfE+fK7cTJnaIRQF
Threatray	1'049 similar samples on MalwareBazaar
TLSH	T15CF3B53FBAAB3015ED06A7B9AE47A060BDD178410E318E2F555141859F3CD88FE3FA19
dhash icon	c8dcdcdcdccccccc (1 x CobaltStrike)
Reporter	malware_traffic
Tags:	Cobalt Strike CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

978

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

162_64.exe

Verdict:

No threats detected

Analysis date:

2021-07-30 14:55:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3f432afa-07a8-4bb1-ac78-0254829a3b30

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/175308/

Detection(s):

SecuriteInfo.com.BackDoor.Meterpreter.213.21688.12593.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c08a2496-7ef4-4f8c-8be4-b6e1aac099a8

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/824541

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: CobaltStrike Process Patterns

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946/

Threat name:

Win64.Trojan.Smokeloader

Status:

Malicious

First seen:

2021-07-30 01:54:00 UTC

AV detection:

4 of 28 (14.29%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00

CobaltStrike

3175976cea0ac6b13312f1922423fca3f3d0bf99848f6b575c1063ed0f0cb8f4

CobaltStrike

452363ce4a4695a985d5a6200de2b43692f7e0d4df11f0b30b42fc78a0cc9440

CobaltStrike

84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252

CobaltStrike

8fabea95cbfe1da521dfcd7880ec3301a3a32175741680d8c1a8acacc0199eb7

CobaltStrike

a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11

CobaltStrike

cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c

CobaltStrike

dbafbe9edfdac67a781756a6970a7341fd5401b0914fff7e3e8136cff0426fc5

CobaltStrike

f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d

CobaltStrike

+ 1'039 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor suricata trojan

Link:

https://tria.ge/reports/210730-ghv91jkvp2/

Behaviour

Suspicious use of WriteProcessMemory

Cobaltstrike

suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)

Malware Config

C2 Extraction:

http://162.244.80.46:80/components/mt.ico
http://162.244.80.46:80/copyright.js

Unpacked files

SH256 hash:

bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946

MD5 hash:

5fd833b9a15f121c5c4f95c76048bd98

SHA1 hash:

b45ac94e75c117e7631541d0d43cdf217ecf942a

Link:

https://www.unpac.me/results/7ad25a79-8d1d-4da7-af5d-1aa9147b961d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_RANSOM_ContiCrypter Create hunting rule
Author:	James Quinn, Binary Defense
Description:	Signature for a crypter associated with Conti

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175308/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample