MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70
SHA3-384 hash: 9d2f16aab6f7d6b46766ec00fefb500626ac46034dccc7f5b15a2f0882cfb724f23b54835173a8cd26a73848bae22475
SHA1 hash: b0e6784083ef003127f55ca13a3d7b21822ffc0f
MD5 hash: 1194f2e1e6d6e80fb8ea69905d18a77c
humanhash: timing-quiet-ack-tennessee
File name:bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:153'600 bytes
First seen:2023-03-03 15:47:17 UTC
Last seen:2023-03-03 17:33:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e713fed4424d9ef4872e4dba803d971 (1 x CobaltStrike)
ssdeep 3072:bw7iSXOs2Se0Nca+uuWDtYb7Fu24J9jTIu4Pbl/TtSdUfr:bwFXJka+ZWDZ2oQyd
Threatray 6 similar samples on MalwareBazaar
TLSH T168E37D47B3A51CB7F4B38576C8531A09E7767C222721DBAF0660433B6E237859E39B21
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Anonymous
Tags:Cobalt Strike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70
Verdict:
No threats detected
Analysis date:
2023-03-03 15:59:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e48eca5-7792-496f-93aa-ccbc7a608b02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371468/
Detection(s):
SecuriteInfo.com.MSIL.Backdoor.Rozena.FR1JCA.29184.30828.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/640216b4bfec0852a68ecb42/reports/94591e6e-2211-4bd5-941f-f709d995dcd7/overview
Verdict:
Malicious
Labled as:
Win64/Kryptik_AGeneric.GR trojan
Link:
https://www.hybrid-analysis.com/sample/bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/914be25c-7872-4197-89c1-134abb6bb92c
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1186649
Signature
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 819533 Sample: WYw8Njgr7M.exe Startdate: 03/03/2023 Architecture: WINDOWS Score: 92 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected CobaltStrike 2->36 38 C2 URLs / IPs found in malware configuration 2->38 7 loaddll64.exe 7 2->7         started        process3 dnsIp4 26 nemucefah.com 7->26 10 rundll32.exe 6 7->10         started        14 cmd.exe 1 7->14         started        16 regsvr32.exe 6 7->16         started        18 2 other processes 7->18 process5 dnsIp6 42 System process connects to network (likely due to code injection or exploit) 10->42 20 rundll32.exe 14->20         started        30 nemucefah.com 157.254.194.99, 443, 49699, 49701 BEANFIELDCA United States 16->30 23 WerFault.exe 21 9 18->23         started        signatures7 process8 dnsIp9 40 System process connects to network (likely due to code injection or exploit) 20->40 28 192.168.2.1 unknown unknown 23->28 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2023-03-03 14:42:52 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
15 of 25 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xr2llofgincykkxx23ljgvmffh2kvlfa3fkhvjlspgy4x2myvnya._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
25177f86963cd89171a6f06bcd0559806f7c1fa1cff3a52eee89ad38c024b819
CobaltStrike
35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14
CobaltStrike
a0410b34f9a1161434b2df05470e2bc5d917ad44e419fe9d6a5008e3e3898b47
CobaltStrike
ef6c768e35b2b443c17acec0088c935fdb593567f2a0494ca34f87ff3bcbb529
CobaltStrike
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/230303-s8r7vshf5s/
Behaviour
Program crash
Cobaltstrike
Malware Config
C2 Extraction:
http://nemucefah.com:443/wp-includes/skin.mp3
Unpacked files
SH256 hash:
bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70
MD5 hash:
1194f2e1e6d6e80fb8ea69905d18a77c
SHA1 hash:
b0e6784083ef003127f55ca13a3d7b21822ffc0f
Link:
https://www.unpac.me/results/c5fbed44-2c09-4eab-ae8e-de08605e6870/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc74b5b8a643/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371468/

Comments