MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfcfb9d9e92004fe8ed31789a3791a8f57ee892b55245360e00da328e1ccb0bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 4

Intelligence 4 IOCs YARA 10 File information Comments

SHA256 hash:	dfcfb9d9e92004fe8ed31789a3791a8f57ee892b55245360e00da328e1ccb0bd
SHA3-384 hash:	8875180fef00ef80ea4a5e429318ccc5722feb33abddd193159f8cd7b596497f8acf38d2841cbe94bc3f5325da67f34c
SHA1 hash:	b54b0b56a11149d6be02f0e24ea7b82ea08cb1a3
MD5 hash:	fe7c18df2a2511fbb18b39f604131ff4
humanhash:	fifteen-mirror-happy-fish
File name:	fe7c18df2a2511fbb18b39f604131ff4.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	180'224 bytes
First seen:	2020-06-22 13:44:29 UTC
Last seen:	2020-06-22 15:33:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	eafd436bff9edf0c0093983a40f3434d (1 x CobaltStrike)
ssdeep	3072:ejkblH1PqXEGNfsKgSsD7fDBHaggcH29EKR7iVjp+LAqZIyF:lblVabAHwDkG
Threatray	148 similar samples on MalwareBazaar
TLSH	1304BF1133D88036E12339798956D7BD0A6ABC29876198CF6FCD09B95F287C1D72732B
Reporter	abuse_ch
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/12618/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.43365832.29541.3851.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dfcfb9d9e92004fe8ed31789a3791a8f57ee892b55245360e00da328e1ccb0bd/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2020-06-20 12:26:01 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=37h3twpjeacp5dwtc6e2g6i2r5l65cjlkusfgyhabwrsryomwc6q._file

Verdict:

malicious

CobaltStrike

2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b

CobaltStrike

471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

CobaltStrike

5942b57d50e389ec7be01bd5b4007249e3755064fe156941dfbe310f7fa53a73

CobaltStrike

5f3e83b3aa82ef8adbf82f9971372b78015470ca185e77a367fc8f1a4963ea64

CobaltStrike

69924d712b640b6d7bbf056dfb46d5c1ef7be90861391f9ec64564617545e61f

CobaltStrike

838e751256c2c80b0ea3299a6c9410033a4ae8eeb15fa5dc913a5e2d2b041c5a

CobaltStrike

983d5da5a77bd35296ad8569ec9eeeb0b7984f9deadf4d7b65842275da53ca72

CobaltStrike

a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704

CobaltStrike

df638bde1ffafcfb7a25fe30b631d549299f9502f23efc47fc5efaa118e96b97

CobaltStrike

+ 138 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/200624-ntgbgm5s2e/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Loads dropped DLL

Deletes itself

Executes dropped EXE

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrike Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect CobaltStrike Beacon in memory
Reference:	https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html

Rule name:	CobaltStrike_C2_Encoded_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CobaltStrike_Sleep_Decoder_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike sleep_mask decoder

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Malware_QA_vqgk Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file vqgk.dll
Reference:	VT Research QA

Rule name:	PowerShell_Susp_Parameter_Combo Create hunting rule
Author:	Florian Roth
Description:	Detects PowerShell invocation with suspicious parameters
Reference:	https://goo.gl/uAic1X

Rule name:	ReflectiveLoader Create hunting rule
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	WiltedTulip_ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:	http://www.clearskysec.com/tulip

Rule name:	win_buer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cobalt_strike_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12618/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample