MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcbd4211108cf3c477de91d78383150e1d30f98d41c372770503eb259a762824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcbd4211108cf3c477de91d78383150e1d30f98d41c372770503eb259a762824
SHA3-384 hash: 4e827666dc10b35c23bd6e4657007eb80449345f411e82200e674b04d8c1b46226b415831064796bf7eb2e015b58d19f
SHA1 hash: 21e16a2db3f2f0c2f07168154b03935f0cbc1938
MD5 hash: cd0fd71c523a9f84f8b08f3002f372a1
humanhash: wolfram-white-thirteen-cola
File name:EmployeeAnnualReport.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:123'360 bytes
First seen:2021-02-25 13:42:45 UTC
Last seen:2021-02-25 16:12:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ecb1983969c8a062d12af4e45f1a3c3 (1 x CobaltStrike)
ssdeep 768:mfAdzOxcdMP1DNegT5k/7IKOe49Zr5daZSBCa48ydSOIWMxSIHTe9dLTdp9afYx2:DOgMlM65qADxTNOIWMjHs1MfYNC
Threatray 620 similar samples on MalwareBazaar
TLSH BFC3A456A25440B4D4654CF989A577CA9E7AFC034B3282CF213B7EAA7E721C08BF4703
Reporter Anonymous
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
552
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EmployeeAnnualReport.exe
Verdict:
No threats detected
Analysis date:
2021-02-25 13:44:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b146f363-fd7e-4b0b-b30a-fc2e64b2a39c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119233/
Detection(s):
SecuriteInfo.com.MalCert-S.DYA.21167.1423.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Changing a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/618741
Signature
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcbd4211108cf3c477de91d78383150e1d30f98d41c372770503eb259a762824/
Threat name:
Win64.Backdoor.Bazarldr
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 13:43:07 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xs6ueeiqrtz4i566shlyhayvbyotb6mnihbxe5yfapvslgtwfasa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882
CobaltStrike
4379aad7a920fea59a8f6233f47de514e7ba3783d6ae3c230f458142fa9ae9c3
CobaltStrike
55c7a0ec28ac9319b3d2245882007c7c1f72b3f44970d24c6d5c355f993d1fb9
CobaltStrike
6fc2d85f11a802fd6abca3bd24c3b97af10671772c884a743c6e623382cefd88
CobaltStrike
a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11
CobaltStrike
ca00167290891c622745230d52c813ab8e25f18d2106f18fb6dc2594383b58d8
CobaltStrike
cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c
CobaltStrike
e0952195d73431802bf22dad462b2fffda7ae4f4e384aad8e326b0c6404fb5bf
CobaltStrike
ede75c0a88d80043f79025dfd8ef91c3d1b01a1613f4a0347b2ceb29f8b19578
CobaltStrike
f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d
CobaltStrike
+ 610 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/210225-asny7cft3x/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Cobaltstrike
Malware Config
C2 Extraction:
http://redwelt.com:443/files/links.gif
http://redwelt.com:443/eso.js
Unpacked files
SH256 hash:
bcbd4211108cf3c477de91d78383150e1d30f98d41c372770503eb259a762824
MD5 hash:
cd0fd71c523a9f84f8b08f3002f372a1
SHA1 hash:
21e16a2db3f2f0c2f07168154b03935f0cbc1938
Link:
https://www.unpac.me/results/d6b0267e-630f-4c7d-98ea-6d9e31d54391/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119233/

Comments