MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8
SHA3-384 hash: fa438305c837391313287626f352f0e24c3248a4b54695fabc3af64691c0cc45031edd04f303bf10e5187f866a7cc7d1
SHA1 hash: 3a1aeae644bcab943d5ef4c597ba8c98295c1ef0
MD5 hash: 1605bd8d21a70ec453c9dc9bd088b690
humanhash: equal-yellow-yankee-network
File name:Fooler.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:403'456 bytes
First seen:2022-11-12 04:16:37 UTC
Last seen:2022-11-12 05:46:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a73e7be2d7bdb23d9bf4e5c9b18860fd (1 x CobaltStrike)
ssdeep 6144:Zn2OmCVpRr9omsbH+Xj1VS+TZt9PgGeB4nDcRTkyV8oHdm0jm:ZzW/buRZ9IGeBy4RTRiHMm
Threatray 2'082 similar samples on MalwareBazaar
TLSH T1C5847D5BAC1914FDFF2A073D5856450BCBF1797A6108B60F81EF8A014F066BA6E0A7D3
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter dor0n
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fooler.exe
Verdict:
No threats detected
Analysis date:
2022-11-12 04:17:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/375511d6-da2c-443c-888f-5b327ac613ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332765/
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.25.31735.20270.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching a process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51569/overview
Behaviour
MalwareBazaar
CallSleep
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/636f1e3e4834ec1f25eee851/reports/a92a9940-b796-4ecf-9632-61f7e8fc4527/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/391b58cd-a6b3-4bb1-b796-812dc5ea63b4
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1111686
Signature
C2 URLs / IPs found in malware configuration
Early bird code injection technique detected
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Uses bootcfg to modify the Windows boot settings
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 744382 Sample: Fooler.exe Startdate: 12/11/2022 Architecture: WINDOWS Score: 100 18 Malicious sample detected (through community Yara rule) 2->18 20 Yara detected CobaltStrike 2->20 22 C2 URLs / IPs found in malware configuration 2->22 24 Machine Learning detection for sample 2->24 7 Fooler.exe 1 2->7         started        process3 signatures4 26 Early bird code injection technique detected 7->26 28 Uses bootcfg to modify the Windows boot settings 7->28 30 Maps a DLL or memory area into another process 7->30 32 Queues an APC in another process (thread injection) 7->32 10 bootcfg.exe 1 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 conhost.exe 10->14         started        16 WerFault.exe 10->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8/
Threat name:
Win64.Malware.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 04:17:07 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
6 of 41 (14.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlevyydc375ttfnvnqesxuucyon2rzhmiqjrxc22qmhbgtberw4a._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
163ed9127c4215f7963066a7266168101d03393ca72cd3516b9063dad75c33c1
CobaltStrike
50961ee399fc45bdfcec9201e069417a8bd00bc38bd1707a32c65451c33a17da
CobaltStrike
63791a89341405f3c2bfa9454358dc970156cd21a8c69a58cff48b97e991e07c
CobaltStrike
6818881fa2f414dd471e2bbbd5d0321c94e66089737a603f6dc55d6f38b2f487
CobaltStrike
703c9237856738e87683ba32d983cbf8e5db2e284553190ee768d0ebb0a0580a
CobaltStrike
7a542cc9772e7433293f2633d019a9f4459ac516a06d5512ba886aeca6c6fa86
CobaltStrike
96f1143875956621e590d05da84a3b75d498ecbf6afda44208894c2f51a8464b
CobaltStrike
a210787ffd0a6a918cd8c950ce6b5af178902b2e5a49799e0a17d8b25200ca6f
CobaltStrike
+ 2'072 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/221112-ewc1hsgg31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b297a4a6-620a-4db9-8ed5-c672df040d4b
Unpacked files
SH256 hash:
cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8
MD5 hash:
1605bd8d21a70ec453c9dc9bd088b690
SHA1 hash:
3a1aeae644bcab943d5ef4c597ba8c98295c1ef0
Link:
https://www.unpac.me/results/c764c235-d0c9-401d-8246-3c32f715bf13/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cac95c6062df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/332765/

Comments