MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f092970f8d406e0d01052e36238c3826d8392397802638af877a8d98ee6c9724. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f092970f8d406e0d01052e36238c3826d8392397802638af877a8d98ee6c9724
SHA3-384 hash: 286b0c9bf407644343ea3199600fa224376a6832a325f4a1f9c2d1891dc7499b914e13e65c0f4071d2e4583b06ad9096
SHA1 hash: 10e219a37a2def797c36413f38520d5c5ca6ea64
MD5 hash: 1a667970bfd9a06499e3a04013bb705c
humanhash: glucose-pasta-indigo-tango
File name:antivirus.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:152'320 bytes
First seen:2023-06-15 09:24:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 254a6142988dd0aa8b92746bef2b612a (1 x CobaltStrike)
ssdeep 3072:h0RGnDmuFcHTyjdYd2DfCqnJR9mNoWwJJJ655ZZopGPF9rxpEI0:h0RUlKTyXJRYOWwJJJ655ZZost9X6
Threatray 865 similar samples on MalwareBazaar
TLSH T163E37D3AE3524C79D8A792B16AC698D2A130FDB04770E05F325817343F2BE905F6E796
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 24e0c060c0d8c86c (1 x CobaltStrike)
Reporter obfusor
Tags:Cobalt Strike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9r1t4s.exe
Verdict:
Suspicious activity
Analysis date:
2023-06-15 08:52:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/272139b9-be36-4f28-bafb-1eb4b40d6354

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399093/
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.32218.14316.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90843/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug evasive overlay packed
Link:
https://www.filescan.io/uploads/648ad8f190acee489f78ebe3/reports/293ebb81-4ef4-45ec-b95a-0c9f090a25a1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f092970f8d406e0d01052e36238c3826d8392397802638af877a8d98ee6c9724
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d53f7cc7-7f3a-4373-b50e-d42b413da7e5
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1255184
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f092970f8d406e0d01052e36238c3826d8392397802638af877a8d98ee6c9724/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 09:19:02 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cjjod4nibxa2aiffy3chdbye3mdsi4xqatdrl4hpkgzr3tms4sa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
1b11ae98b85bb0645abe36adcd852e6e84b51c6b5c811729f3c19f14f32d4e4f
CobaltStrike
501cd8b97f8f05211634cdb5eeb69b195870bd42a9bb40c42b1af2229a8f9b15
CobaltStrike
8356f3fd326f41fcfbbc17c9fa1a81abe75aae2831b364bf6f6a100a2bebc5c2
CobaltStrike
844f891f338bcde305546fb85d97ac01bfd2c4db663ce779e6048307af5085f5
CobaltStrike
89cb65bfaf8e7cb59a35bca859df284488f1f2264a4845c3bfcf4f82b3c3fcdd
CobaltStrike
8f280957b0f67aaa85e635f8ea7023598498a0ffbe6f8d53d7dd032ca27b632c
CobaltStrike
95654525c7022015e1177ff2e8eba84837f6808b6568bccd87af3e55a3c1f481
CobaltStrike
ad48e21de164d9089b94772d592ae72317f8aca3307c58d29dd798f0084450ba
CobaltStrike
+ 855 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:100000000 backdoor trojan
Link:
https://tria.ge/reports/230615-ldl9ssfe87/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Cobaltstrike
Malware Config
C2 Extraction:
http://service-fd3z3txp-1256276711.bj.apigw.tencentcs.com:443/bootstrap-2.min.js
http://service-fd3z3txp-1256276711.bj.apigw.tencentcs.com:443/api/getit
Unpacked files
SH256 hash:
f092970f8d406e0d01052e36238c3826d8392397802638af877a8d98ee6c9724
MD5 hash:
1a667970bfd9a06499e3a04013bb705c
SHA1 hash:
10e219a37a2def797c36413f38520d5c5ca6ea64
Link:
https://www.unpac.me/results/22e1e900-9262-41e2-bbe9-a0852ca36781/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f092970f8d40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f092970f8d406e0d01052e36238c3826d8392397802638af877a8d98ee6c9724

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0a1f3a057a1dce4bf7d76d0c7adf837e
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Unknown
Create hunting rule
Author:_langly
Description:detect file packed with NimSyscallPacker created by S3cur3Th1sSh1t

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399093/

Comments