MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715
SHA3-384 hash:	c4705a5425025952a2dd48ea3f80cd9178715d43ca06e67463cedd9057891dbe859508f4e1f840cff5d879228d5ba79d
SHA1 hash:	06ab1f119652cd5b0efec1ec1b16fd1deec501a1
MD5 hash:	82edfb8eaf5c3dbc9c62ca4884664823
humanhash:	whiskey-music-jersey-lake
File name:	bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	5'631'382 bytes
First seen:	2021-03-11 08:13:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a1da9ea396652d5e0b17e3ad46db6896 (2 x CobaltStrike)
ssdeep	98304:oL86LxjR/7JNzJwjI5klUigKYkBEvHPI9QxTdTaR5k7bmOgIK93:chFl6bUpMBOaR5KbfI
Threatray	25 similar samples on MalwareBazaar
TLSH	E6463338FC818173D077283648B2D3746A7429F10B089467AFD5193E9F335B2B9798B6
Reporter	JAMESWT_WT
Tags:	118.31.60.46 Cobalt Strike CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

548

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715

Verdict:

Malicious activity

Analysis date:

2021-03-11 08:16:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6d0414ad-c7b0-4336-b00e-acb9cf273990

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/123760/

Detection(s):

Win.Malware.Generic-6651554-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a UDP request

Deleting a recently created file

Creating a file in the %temp% subdirectories

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/636596

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715/

Threat name:

Win32.Trojan.Cometer

Status:

Malicious

First seen:

2021-03-04 17:07:50 UTC

File Type:

PE (Exe)

Extracted files:

358

AV detection:

11 of 28 (39.29%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

1b87f2ef8a0150578ab639316e6f392ccac181c9fa18df5a04ccc56963644d02

CobaltStrike

289fd8d06a0809ace139201a7bd5896eecc684f0887e791f307e47bbfa5698e4

CobaltStrike

54446099158a525a638b624d85af6d3530970e9050a8b34d4130d1fbbad2dba3

CobaltStrike

611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44

CobaltStrike

9165bc75e1a727c886b97c5dd3bdc42ed33d22f2895e8a830b94bd27fdeec2eb

CobaltStrike

95e35f1614df92a318a749a8f62a35b9c03f2f34f08ad5606b45c9d817ff1d93

CobaltStrike

a4e1a5b0197b59eb99538327584f8294e81259fd704c281469ec6b7ab7a2c046

CobaltStrike

e92b19cb2f281114eb2db737edd370bcf7d5ea35e84f07976d8d680abdb7d654

CobaltStrike

f29a85a0a8d5c438141903be9402dfea15cc0eb89e356da5b53d31edfabed15e

CobaltStrike

+ 15 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:metasploit backdoor pyinstaller trojan

Link:

https://tria.ge/reports/210311-c3dq2xh6fx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Loads dropped DLL

MetaSploit

Malware Config

C2 Extraction:

http://118.31.60.46:82/i5sK

Unpacked files

SH256 hash:

27e62ed60d180382adaf7531c375ebafcd1b23fb6ee7c98d5eaf9423825b080d

MD5 hash:

5f9be4a6de2f77f778fd08c9ee38b2ef

SHA1 hash:

03006dbdd3c7b78c0cd552d43594a965991370a3

Link:

https://www.unpac.me/results/409c86b0-ef9a-433d-89f3-f06aaf7c09de/

SH256 hash:

917af4bb3022afa73d6140cd805d5f9321a87ef035d2b9ac6fe3859ed2bd2611

MD5 hash:

4c9e09b809b45d702eb3ba666066043d

SHA1 hash:

bd901b3b29c2c9792b3adfcdcba6e8ad739fcbf3

Link:

https://www.unpac.me/results/409c86b0-ef9a-433d-89f3-f06aaf7c09de/

SH256 hash:

8ad8c41c46d0840390ad8c3039d9bb1b97c3629303a8b622655ed527b1f0370d

MD5 hash:

c3163f70d5cb6ec86c4021769066eeb6

SHA1 hash:

4c065cb244b43a2f0de4827941b5ae57f987136e

Link:

https://www.unpac.me/results/409c86b0-ef9a-433d-89f3-f06aaf7c09de/

SH256 hash:

1e74b9382c79fa3681c8f44c1ec4661193b1f1639b7b286ce46f5feb45f92e0a

MD5 hash:

2e8e33fcf16bed21570ccabc1bc3a742

SHA1 hash:

4513e0098ae453946192d77f1d706f9d7fe97e26

Link:

https://www.unpac.me/results/409c86b0-ef9a-433d-89f3-f06aaf7c09de/

SH256 hash:

29749b2aa5cbbdc31231b5f06a4b7fc5dd7917400562f001323f1458b48a761b

MD5 hash:

0d8316bc5c628394ea5bba7e7db1f1e5

SHA1 hash:

e51d7b28c756daa6a900580f5d635e44bec3785f

Link:

https://www.unpac.me/results/409c86b0-ef9a-433d-89f3-f06aaf7c09de/

SH256 hash:

c7711cfd9b015f81dab9e0a194f5ab22a616136c4d1f77527fc7f8fa9f0f2755

MD5 hash:

33c3350b28032597aabee5b2ce662846

SHA1 hash:

0bb23af9f73a38adc78d9f92d447808139a68529

Link:

https://www.unpac.me/results/409c86b0-ef9a-433d-89f3-f06aaf7c09de/

SH256 hash:

bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715

MD5 hash:

82edfb8eaf5c3dbc9c62ca4884664823

SHA1 hash:

06ab1f119652cd5b0efec1ec1b16fd1deec501a1

Link:

https://www.unpac.me/results/409c86b0-ef9a-433d-89f3-f06aaf7c09de/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_File_pyinstaller Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
Description:	Detect PE file produced by pyinstaller
Reference:	https://isc.sans.edu/diary/21057

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/malwrhunterteam/status/1369656504270340100?s=20

Cape

https://www.capesandbox.com/analysis/123760/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample