MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9f05c5dc82ee48ddff3dffb4bee0ed775e004aa040681844fb25d0c10b58bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	e9f05c5dc82ee48ddff3dffb4bee0ed775e004aa040681844fb25d0c10b58bde
SHA3-384 hash:	fac3e68fb028317a0e7538e04344b5611eb45031c9ccf4c5304f0c7dd220335288b6c63d115ea0e66cf869cdaf01b526
SHA1 hash:	a89ec5553871a903f8ec758b2e0b47155f2f23a0
MD5 hash:	2f910aa8d487f4fd97b8009282aa5e2c
humanhash:	nebraska-lactose-eighteen-helium
File name:	69660.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	553'848 bytes
First seen:	2023-05-23 16:53:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c184d28e6f85b3d39b042dbe9b1e7fad (1 x CobaltStrike)
ssdeep	3072:fcmtxpeOqSHROIj2tzVmOIftfEl8TXyFHHSrYXUzK2JboCJTIczcFSZ21M9S3ID:fRtxsOq6O7feEla6Sz1yczcFSZ21M9d
Threatray	330 similar samples on MalwareBazaar
TLSH	T12AC481B2D48483D0ED5A5F3120792F3D452F3E57FDACA71EA858B05137B3A822666C1B
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	33d0d8d4d4dcd833 (1 x CobaltStrike)
Reporter	Neiki
Tags:	Cobalt Strike

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

Vendor Threat Intelligence

Malware family:

cobaltstrike

ID:

File name:

69660.exe

Verdict:

Malicious activity

Analysis date:

2023-05-23 16:55:25 UTC

Tags:

cobaltstrike

Link:

https://app.any.run/tasks/642437ee-264b-4352-9406-0409f0d019ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeStager

Link:

https://www.capesandbox.com/analysis/390836/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67071653.5438.486.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/87608/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug overlay packed

Link:

https://www.filescan.io/uploads/646cef7366362573b3dd42b6/reports/c8342db4-e75c-4bed-82f6-bf8b8dc246d8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e9f05c5dc82ee48ddff3dffb4bee0ed775e004aa040681844fb25d0c10b58bde

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/17019288-32cf-48e3-9f64-cc6e43a0b3b7

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1241040

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e9f05c5dc82ee48ddff3dffb4bee0ed775e004aa040681844fb25d0c10b58bde/

Threat name:

Win64.Hacktool.Sysdupate

Status:

Malicious

First seen:

2023-05-16 03:11:40 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 37 (45.95%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5hyfyxoif3si3x7t375ux3qo2526abfkaqdidbcpwjoqyefvrppa._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2

CobaltStrike

66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa

CobaltStrike

7c8621cc3827c1ffbd39ebc8b24e430e2e6aa5bd7b148edc110be9b2914799dc

CobaltStrike

b375e37ee678d8fa056e06cfeccbe1077d517365a46981a811adb637ba5c838c

CobaltStrike

cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8

CobaltStrike

dcc481b5bdd6f0d48d0e8d36d50404628f905b7ccb15ad844658669747c02bfa

CobaltStrike

+ 320 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:100000 backdoor trojan

Link:

https://tria.ge/reports/230523-vd1a4agc47/

Behaviour

Modifies system certificate store

Suspicious use of NtCreateThreadExHideFromDebugger

Cobaltstrike

Malware Config

C2 Extraction:

http://service-cn1708rw-1253795072.gz.apigw.tencentcs.com:443/api/auth/poral/log1
http://service-cn1708rw-1253795072.gz.apigw.tencentcs.com:443/api/auth/v1/log

Unpacked files

SH256 hash:

e9f05c5dc82ee48ddff3dffb4bee0ed775e004aa040681844fb25d0c10b58bde

MD5 hash:

2f910aa8d487f4fd97b8009282aa5e2c

SHA1 hash:

a89ec5553871a903f8ec758b2e0b47155f2f23a0

Link:

https://www.unpac.me/results/cf4d2f55-dfa5-4dbb-a43e-0daf70fbdac3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Pay2Key

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e9f05c5dc82ee48ddff3dffb4bee0ed775e004aa040681844fb25d0c10b58bde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_0a1f3a057a1dce4bf7d76d0c7adf837e Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/390836/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample