MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8c249cdd05e1d7366f263a0de0ff5f376eaaa13d29614f835b10f3cabacfcb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8c249cdd05e1d7366f263a0de0ff5f376eaaa13d29614f835b10f3cabacfcb3
SHA3-384 hash: 3e17a3a515cc5f416b663af89787f4613168adf798280ba8f2f62b59db38bb84ce84bde6da72cd2766d741aa6b7f9114
SHA1 hash: a27376caf193f849d552c845cd82e5301f722400
MD5 hash: 6b023e848ba01d1794883a1fb134a338
humanhash: foxtrot-magnesium-mississippi-zulu
File name:temp.ps1
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:3'555 bytes
First seen:2021-06-19 12:53:21 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 96:pg5SvvvOmVeLx1Yn64dKki6awUHCA0lgUV0la:SIvOPLx1YnIzaB6M
Threatray 164 similar samples on MalwareBazaar
TLSH 9571B85816DA794E68972407BD3E94811E3C1EA7C6CA3C00F9F45720E8D7D2AD1B7B54
Reporter JAMESWT_WT
Tags:198.13.63.107 CobaltStrike ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
615
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.CobaltStrike-7917400-0
Create hunting rule

Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8c249cdd05e1d7366f263a0de0ff5f376eaaa13d29614f835b10f3cabacfcb3/
Threat name:
Script-PowerShell.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-06-19 12:52:14 UTC
File Type:
Text (PowerShell)
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
3a226a3d31e8ba855fbc78efb76f820306f4f60e979333b241c7dadd70a5740d
CobaltStrike
844f891f338bcde305546fb85d97ac01bfd2c4db663ce779e6048307af5085f5
CobaltStrike
a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919
CobaltStrike
ae5b18cb1f45bb4409facea15bd5e309af0ebc6c687ccd2d4273f2c7008925e4
CobaltStrike
ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832
CobaltStrike
d67758e9af27afd184165266c7aad94b9dd9c78d6266849c731f2a3b2cd40c09
CobaltStrike
d9330b86534b1b2285f6b39745490fdeafcca69d975302f06edb0e3ce1c744e7
CobaltStrike
dddf1d1b2b58721f04fe1eb77804d02fb5fc14deca7d8b4f6a9ce3c55644090e
CobaltStrike
e625da9aa862eef338511a40f5e1ea8b05b4782dcd57a695a1c23538cd461424
CobaltStrike
ea3dcb24ae132149252ad1aba54c92317be45c3791f14007e94c1a7c509b3965
CobaltStrike
+ 154 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:426352781 backdoor trojan
Link:
https://tria.ge/reports/210619-d522t3tjw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Blocklisted process makes network request
Cobaltstrike
Malware Config
C2 Extraction:
http://198.13.63.107:4445/BejL
http://198.13.63.107:4445/ptj
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/e8c249cdd05e1d7366f263a0de0ff5f376eaaa13d29614f835b10f3cabacfcb3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Msfpayloads_msf_ref
Create hunting rule
Author:Florian Roth
Description:Metasploit Payloads - file msf-ref.ps1
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1406231868236779520?s=20

Comments