MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c
SHA3-384 hash: 80b615058ae57346ee9ba926202b5a4a6c7c06f1ed19cd2fe9f5f5ab170b42025e6dd0e9daa1951fd38ce4cc8349eb3a
SHA1 hash: b9b1239f89981e09c1f8d333e6631bf43386fe28
MD5 hash: efc4c153206e06fd43d07496e0be502c
humanhash: finch-sixteen-dakota-kilo
File name:CorpReport.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:156'168 bytes
First seen:2021-02-19 13:25:27 UTC
Last seen:2021-02-19 15:07:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7bd397771181510ed9dd92897ea74c5 (3 x CobaltStrike)
ssdeep 3072:krW1+PlAoE3DqKQevDXHoX6zr/YRr4FfNW9KWGeQ15aH:fWpETNQevzIX6zWreeQ1g
Threatray 614 similar samples on MalwareBazaar
TLSH 1EE3591B77A9B0E7E132897984510E09D733B8331761DB9F0260916E6E2BBD05E3EB71
Reporter ffforward
Tags:CobaltStrike signed Systems Analysis 360 Ltd

Intelligence

File Origin
# of uploads :
2
# of downloads :
572
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://corporate-report-pdf-2febr.getresponsepages.com
Verdict:
Malicious activity
Analysis date:
2021-02-19 12:40:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/303c3046-71dd-4248-a349-819828d449e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118005/
Detection(s):
SecuriteInfo.com.Malware.AI.3929139666.24993.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Changing a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/612687
Signature
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c/
Threat name:
Win64.Backdoor.Bazaarloader
Create hunting rule
Status:
Malicious
First seen:
2021-02-19 13:26:07 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
15305978d7c42e26d908feca9aed4efa3df89ae6524ecce10752a2ee3cdf813f
CobaltStrike
2c75fcb1983a87e786ec745a20df2f2e508c294da40e956e0c46786005120a6c
CobaltStrike
55c7a0ec28ac9319b3d2245882007c7c1f72b3f44970d24c6d5c355f993d1fb9
CobaltStrike
6fc2d85f11a802fd6abca3bd24c3b97af10671772c884a743c6e623382cefd88
CobaltStrike
836db6bde6f664fa42b020c7b4549713022eac87410c1ed1104b6d4df615a599
CobaltStrike
87dca59ec3d55bcb1b05da564e5ce0a164ab633f1c46a18a97f72a30efff7388
CobaltStrike
9a7d2b2c96ee9b7b0ddc1665988d935a719f04cdb2b2dd331ec36aa4f6597506
CobaltStrike
ca00167290891c622745230d52c813ab8e25f18d2106f18fb6dc2594383b58d8
CobaltStrike
e0952195d73431802bf22dad462b2fffda7ae4f4e384aad8e326b0c6404fb5bf
CobaltStrike
ede75c0a88d80043f79025dfd8ef91c3d1b01a1613f4a0347b2ceb29f8b19578
CobaltStrike
+ 604 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/210219-phcg9h6kh2/
Behaviour
Modifies system certificate store
Cobaltstrike
Malware Config
C2 Extraction:
http://hdhuge.com:443/files/remove.gif
http://hdhuge.com:443/skin
Unpacked files
SH256 hash:
cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c
MD5 hash:
efc4c153206e06fd43d07496e0be502c
SHA1 hash:
b9b1239f89981e09c1f8d333e6631bf43386fe28
Link:
https://www.unpac.me/results/e0248216-f76f-4d32-b6ec-b5e6b8114811/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:megacortex_rietspoof
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://tria.ge/210219-jaha71vx56
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/118005/

Comments