MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe
SHA3-384 hash: 45fd3f268bd207fa93c05e124e70dc7e9329a86c0a651bf1b07c68e98c4f8e908350b9be3ea9afbe140f4c0fa05bb43e
SHA1 hash: 86045acc01f6df135565e06dcca6f7c08f4287df
MD5 hash: dc8a45b47613b5f3a4e285870d177600
humanhash: london-angel-mexico-six
File name:cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:148'480 bytes
First seen:2021-11-22 23:24:37 UTC
Last seen:2021-11-23 00:42:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 937bd4797d14fcb82ba2199283413f3c (2 x CobaltStrike)
ssdeep 1536:CKtgwsh2wcEk7Bb/RB/pJxXVHnD/aWio5GgSkEzzVSct+e8M7U/nXbuL903Xd2dn:ftri2ak1b/R1HjHirDVSctgLnaIRQd
Threatray 184 similar samples on MalwareBazaar
TLSH T13AE3E536FAA73109F952E734AE17E0207DD178401E258E2D6A528585CF38EDCFE2FA51
Reporter Arkbird_SOLG
Tags:apt CobaltStrike exe tardigrade

Intelligence

File Origin
# of uploads :
2
# of downloads :
582
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe
Verdict:
No threats detected
Analysis date:
2021-11-22 23:41:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50ce140b-46ac-40d0-870b-a0aa2ce793e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Bulz.393610.30860.17558.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug conti crypter greyware
Link:
https://www.filescan.io/uploads/619c26d394a88037d2ff4fae/reports/f8fb706d-47ea-4abc-a543-e4021383f591/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38138fd3-4e75-4180-8b69-3238d86d048c
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/894281
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Process Patterns
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526755 Sample: Qf3znUYo2b Startdate: 23/11/2021 Architecture: WINDOWS Score: 88 53 Found malware configuration 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 3 other signatures 2->59 8 loaddll64.exe 8 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 regsvr32.exe 7 8->13         started        16 iexplore.exe 2 72 8->16         started        18 5 other processes 8->18 dnsIp5 61 System process connects to network (likely due to code injection or exploit) 10->61 20 cmd.exe 10->20         started        22 WerFault.exe 10->22         started        49 8.39.147.87, 80 CFA-INSTITUTEUS United States 13->49 24 cmd.exe 1 13->24         started        26 WerFault.exe 13->26         started        51 192.168.2.1 unknown unknown 16->51 28 iexplore.exe 2 151 16->28         started        31 rundll32.exe 1 18->31         started        33 cmd.exe 18->33         started        35 cmd.exe 18->35         started        signatures6 process7 dnsIp8 37 conhost.exe 20->37         started        39 conhost.exe 24->39         started        43 dart.l.doubleclick.net 142.250.203.102, 443, 49812, 49813 GOOGLEUS United States 28->43 45 ad-delivery.net 104.26.2.70, 443, 49810, 49811 CLOUDFLARENETUS United States 28->45 47 10 other IPs or domains 28->47 41 cmd.exe 31->41         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe/
Threat name:
Win64.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 04:49:42 UTC
File Type:
PE+ (Dll)
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00
CobaltStrike
118ed2b8b1f173f80cf2efd988170d78b876e0af02a10868b4d61aa01bedf1d3
CobaltStrike
21997a8180c9d1add6f4b7eb35d754d9a15acc614cdb5b11078eb5da661d9d3e
CobaltStrike
2982b2da67e7c38952e2db5007c3f829328da458f7a90e9b3eb789598ccce6ac
CobaltStrike
5ebd9eba9fe6c84809d5917da7be37a70e3c6579b5c14bbad37be8b35f2d67f4
CobaltStrike
bab8196c3630b25a0dc1c21303881e0dc4d1f560655b7f86e6986c9eb84ae946
CobaltStrike
bd50fceeb89d220f6710030d3aacbc2427c5796d9b7f3dee8a362f4e7d4113ef
CobaltStrike
c380f48e3d649b6a44b05134108a8c79536f289240e9ed9135e35dadffb6c350
CobaltStrike
cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252
CobaltStrike
e5fa7e3d66f99d172d3eba7af15276e7eb1958748832b8965b9eedba4cbfc90c
CobaltStrike
+ 174 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/211122-3eae3ahadl/
Behaviour
Suspicious use of WriteProcessMemory
Cobaltstrike
Malware Config
C2 Extraction:
http://8.39.147.87:80/static-directory/ro.ico
Unpacked files
SH256 hash:
cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe
MD5 hash:
dc8a45b47613b5f3a4e285870d177600
SHA1 hash:
86045acc01f6df135565e06dcca6f7c08f4287df
Link:
https://www.unpac.me/results/2cfc9127-2500-4307-86f6-9a3f8f6926b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf88926b7d5a5ebbd563d0241aaf83718b77cec56da66bdf234295cc5a91c5fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_RANSOM_ContiCrypter
Create hunting rule
Author:James Quinn, Binary Defense
Description:Signature for a crypter associated with Conti

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/jfslowik/status/1462873589825216517
Cape
Cape
https://www.capesandbox.com/analysis/208479/

Comments