MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fba8817602cb7dae175d9fec0900fbfd3e097aae4d32befaecd87d6e3fdb7412. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fba8817602cb7dae175d9fec0900fbfd3e097aae4d32befaecd87d6e3fdb7412
SHA3-384 hash: 710790ebb06dbd9ff2342495f7925f40a70eee467ecfb78e85e50f1687c6eae2456281c0d673a4088e2eca9ddd2ce47c
SHA1 hash: e0599d38735a4867ae88e0f9362d017acf2a22fa
MD5 hash: ee71a41a6128096140e5e8785802919b
humanhash: sad-early-table-orange
File name:fba8817602cb7dae175d9fec0900fbfd3e097aae4d32befaecd87d6e3fdb7412
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:19'940'372 bytes
First seen:2020-09-18 09:53:20 UTC
Last seen:2020-09-18 10:42:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 393216:WkMgCKxOkDeNYSA2MMbGoK4xAdB6jx0T1s+rG1GXz2m:W9qO+eLMMtK4+e10iqGWN
Threatray 2 similar samples on MalwareBazaar
TLSH 1E1733A518DA243DF29F32BD272DAA3766C17F4142C2BF56EBA9576C2910F3027C7241
Reporter JAMESWT_WT
Tags:CobaltStrike EasyConnect embedded

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68275/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the browser window
Creating a window
Sending an HTTP GET request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/469864
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Infects executable files (exe, dll, sys, html)
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
PE file has a writeable .text section
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 287361 Sample: iyvB42wBey Startdate: 18/09/2020 Architecture: WINDOWS Score: 72 108 Multi AV Scanner detection for submitted file 2->108 110 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->110 112 PE file has a writeable .text section 2->112 114 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->114 9 iyvB42wBey.exe 10 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        process3 file4 100 C:\Users\user\AppData\...\TaskServer.exe, PE32 9->100 dropped 102 C:\Users\user\...asyConnectInstaller_.exe, PE32 9->102 dropped 18 EasyConnectInstaller_.exe 370 69 9->18         started        21 TaskServer.exe 62 9->21         started        process5 file6 66 C:\...\VNICInstaller_X64.exe, PE32 18->66 dropped 68 C:\...\VC2010RedistX86UInstaller.exe, PE32 18->68 dropped 70 C:\...\TcpDriverInstaller.exe, PE32 18->70 dropped 78 32 other files (1 malicious) 18->78 dropped 24 TcpDriverInstaller.exe 18->24         started        28 DnsDriverInstaller.exe 18->28         started        30 VNICInstaller_X64.exe 18->30         started        35 10 other processes 18->35 72 C:\Users\user\AppData\...\unicodedata.pyd, PE32 21->72 dropped 74 C:\Users\user\AppData\Local\...\select.pyd, PE32 21->74 dropped 76 C:\Users\user\AppData\Local\...\python37.dll, PE32 21->76 dropped 80 47 other files (none is malicious) 21->80 dropped 116 Contains functionality to compare user and computer (likely to detect sandboxes) 21->116 32 TaskServer.exe 21->32         started        signatures7 process8 dnsIp9 82 C:\Program Files (x86)\...\WfpDrv_win7X64.sys, PE32+ 24->82 dropped 84 C:\Program Files (x86)\...\WfpDrv_win7.sys, PE32 24->84 dropped 86 C:\Program Files (x86)\...\WfpDrvX64.sys, PE32+ 24->86 dropped 92 5 other files (1 malicious) 24->92 dropped 118 Sample is not signed and drops a device driver 24->118 37 Remove.exe 24->37         started        39 Install.exe 24->39         started        88 C:\Program Files (x86)\...\DnsDrvx64.sys, PE32+ 28->88 dropped 90 C:\Program Files (x86)\Sangfor\...\DnsDrv.sys, PE32 28->90 dropped 94 4 other files (none is malicious) 28->94 dropped 41 Remove.exe 28->41         started        43 Install.exe 28->43         started        96 6 other files (1 malicious) 30->96 dropped 45 ndiscleanup.x64.exe 30->45         started        47 vacon.exe 30->47         started        104 39.101.174.221, 39999 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 32->104 106 192.168.2.1 unknown unknown 35->106 98 54 other files (none is malicious) 35->98 dropped 120 Infects executable files (exe, dll, sys, html) 35->120 49 expand.exe 35->49         started        52 expand.exe 35->52         started        file10 signatures11 process12 file13 54 conhost.exe 45->54         started        56 conhost.exe 47->56         started        62 C:\...\0f4337658e765245aa75868e567c003a.tmp, PE32 49->62 dropped 58 conhost.exe 49->58         started        64 C:\...\7b0e008b4944064e8c3a088a578cfce1.tmp, PE32 52->64 dropped 60 conhost.exe 52->60         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fba8817602cb7dae175d9fec0900fbfd3e097aae4d32befaecd87d6e3fdb7412/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-09-12 05:35:46 UTC
File Type:
PE (Exe)
Extracted files:
2352
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f
CobaltStrike
8dc94d486fd546ffbf8f21252aba65efe18432a6cae815e02b8be4ce4449291a
CobaltStrike
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200918-mxqeyjrkha/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fba8817602cb7dae175d9fec0900fbfd3e097aae4d32befaecd87d6e3fdb7412

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1306890927986954240?s=20
Cape
Cape
https://www.capesandbox.com/analysis/68275/

Comments