MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858
SHA3-384 hash: 3d789ee6bb29b53440b5496054fd7323a68c4bdaa35961b2c94ec79199f213477d3cbd5ecb4012b2227d60a2deb23c7e
SHA1 hash: ed3cc2c262d38c32bf6a789b5af0f5652497927b
MD5 hash: 0edffd2d6933146b600d1578f4654be6
humanhash: fanta-two-blue-connecticut
File name:c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858.bin
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:154'112 bytes
First seen:2021-11-22 23:53:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 714417aa92d977b6d22b94563b5764db (1 x CobaltStrike)
ssdeep 3072:NFoNU2h8ujQnAdzzt2L1V4scSAA0Cx3b816DE:4U2hRoozzt2L1wSd003I0
Threatray 186 similar samples on MalwareBazaar
TLSH T167E3E736F9B7218EFA52D3306E57A411BDF178402E258E1D59128685CB6CDDCFA3BE02
Reporter Arkbird_SOLG
Tags:apt CobaltStrike exe tardigrade

Intelligence

File Origin
# of uploads :
1
# of downloads :
619
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6338204583231488.zip
Verdict:
Suspicious activity
Analysis date:
2021-11-22 22:29:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5b83921-3f80-4502-872c-0a8e6fd33b5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
anti-debug conti crypter greyware shelma smokeloader
Link:
https://www.filescan.io/uploads/619c2d9e02c80febc2a6925b/reports/2935b1bc-1e8d-4cfd-a2e5-5a5bf372c5e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b67bcec-cc54-4abf-a888-76ce2e989951
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/894302
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Process Patterns
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526780 Sample: V6oWh8Z20j.bin Startdate: 23/11/2021 Architecture: WINDOWS Score: 88 54 Found malware configuration 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 3 other signatures 2->60 8 loaddll64.exe 8 2->8         started        process3 process4 10 regsvr32.exe 7 8->10         started        13 rundll32.exe 8->13         started        16 iexplore.exe 1 73 8->16         started        18 5 other processes 8->18 dnsIp5 46 37.1.208.91, 49756, 49770, 49771 HVC-ASUS Ukraine 10->46 20 cmd.exe 1 10->20         started        23 WerFault.exe 10->23         started        62 System process connects to network (likely due to code injection or exploit) 13->62 25 cmd.exe 13->25         started        27 WerFault.exe 13->27         started        29 iexplore.exe 2 155 16->29         started        32 rundll32.exe 1 18->32         started        34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        signatures6 process7 dnsIp8 44 C:\Users\user\AppData\Local\...\DEM38CF.tmp, ASCII 20->44 dropped 38 conhost.exe 20->38         started        40 conhost.exe 25->40         started        48 dart.l.doubleclick.net 142.250.203.102, 443, 49844, 49845 GOOGLEUS United States 29->48 50 btloader.com 104.26.6.139, 443, 49830, 49831 CLOUDFLARENETUS United States 29->50 52 10 other IPs or domains 29->52 42 cmd.exe 32->42         started        file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 00:25:48 UTC
File Type:
PE+ (Dll)
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00
CobaltStrike
1c7c1a28921d81f672320e81ad58642ef3b8e27abf8a8e51400b98b40f49568b
CobaltStrike
21997a8180c9d1add6f4b7eb35d754d9a15acc614cdb5b11078eb5da661d9d3e
CobaltStrike
2982b2da67e7c38952e2db5007c3f829328da458f7a90e9b3eb789598ccce6ac
CobaltStrike
bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946
CobaltStrike
bd50fceeb89d220f6710030d3aacbc2427c5796d9b7f3dee8a362f4e7d4113ef
CobaltStrike
c380f48e3d649b6a44b05134108a8c79536f289240e9ed9135e35dadffb6c350
CobaltStrike
cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252
CobaltStrike
cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe
CobaltStrike
e5fa7e3d66f99d172d3eba7af15276e7eb1958748832b8965b9eedba4cbfc90c
CobaltStrike
+ 176 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/211122-3xvhyscbf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Cobaltstrike
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://37.1.208.91:80/s9Fk
Unpacked files
SH256 hash:
c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858
MD5 hash:
0edffd2d6933146b600d1578f4654be6
SHA1 hash:
ed3cc2c262d38c32bf6a789b5af0f5652497927b
Link:
https://www.unpac.me/results/613a02a0-901c-4e2d-9926-580a957a7f2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_RANSOM_ContiCrypter
Create hunting rule
Author:James Quinn, Binary Defense
Description:Signature for a crypter associated with Conti

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.isac.bio/post/tardigrade
Cape
Cape
https://www.capesandbox.com/analysis/208483/

Comments