MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd2805fcbb98043679e0ce2ccd112134a767df7010acc24c395cffd73dbc56d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	fd2805fcbb98043679e0ce2ccd112134a767df7010acc24c395cffd73dbc56d6
SHA3-384 hash:	97c05ea0b43b7acdababce1a3b0777b7ebaedbd2b9af09db07a768e2b5fe785e50c21e70e8f78b37eb73e251be08066b
SHA1 hash:	e30ac17a4e055f13433805c43d48c3d2a80632f1
MD5 hash:	b2fed7a0187871e9d42e1ee52b3935bd
humanhash:	eleven-potato-high-four
File name:	Trojan.Win32.Cobalt.faf-fd2805fcbb98043679e0ce2ccd112134a767df7010acc24c395cffd73dbc56d6
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	792'064 bytes
First seen:	2023-03-16 19:40:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dd210d549c468f297ccc666d6fedc16d (1 x CobaltStrike)
ssdeep	6144:hESJuKAikmygoaKdra4R2XUmKEHPLR5sfNXbsVASXLLAirvgKwvkR18rXku:1ugkMKWUpEHPL8fNXbsVASblMTvkR
Threatray	340 similar samples on MalwareBazaar
TLSH	T1C4F44AA27E614E54CA01FE3C79E2D3509FC27CC00F606F1D7925F14ED6A14D9992AB8B
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0004209090900400 (1 x CobaltStrike)
Reporter	petikvx
Tags:	Cobalt Strike

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/374889/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46833774.7311.3595.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Running batch commands

Creating a process with a hidden window

Creating a file in the %temp% directory

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/73435/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug cmd.exe cobalt cobaltstrike conti crypter smokeloader

Link:

https://www.filescan.io/uploads/641370d5c65d1ebf04c0c6f2/reports/64a7e35d-59c7-4a1a-8e52-3cc4c781af47/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/fd2805fcbb98043679e0ce2ccd112134a767df7010acc24c395cffd73dbc56d6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cc318a11-feff-4fee-b987-894f036ed152

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1195304

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd2805fcbb98043679e0ce2ccd112134a767df7010acc24c395cffd73dbc56d6/

Threat name:

Win64.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-08-20 22:31:02 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 39 (48.72%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7uual7f3tacdm6pazywm2ejbgstwpx3qccwmetbzlt75opn4k3la._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14

CobaltStrike

93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e

CobaltStrike

a0410b34f9a1161434b2df05470e2bc5d917ad44e419fe9d6a5008e3e3898b47

CobaltStrike

a27734578daa0ece490f3df8fef37d7218bd91e0d786021c6fa51ebfb40d782d

CobaltStrike

bc74b5b8a64345852af7d6d693558529f4aaaca0d9547aa57279b1cbe998ab70

CobaltStrike

ef6c768e35b2b443c17acec0088c935fdb593567f2a0494ca34f87ff3bcbb529

CobaltStrike

+ 330 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor trojan

Link:

https://tria.ge/reports/230316-yd39jaeg7w/

Behaviour

Suspicious use of WriteProcessMemory

Cobaltstrike

Malware Config

C2 Extraction:

http://82.117.252.209:80/RELEASE_NOTES

Unpacked files

SH256 hash:

fd2805fcbb98043679e0ce2ccd112134a767df7010acc24c395cffd73dbc56d6

MD5 hash:

b2fed7a0187871e9d42e1ee52b3935bd

SHA1 hash:

e30ac17a4e055f13433805c43d48c3d2a80632f1

Link:

https://www.unpac.me/results/59824b9c-4582-46b2-b7fa-75f19015b5c4/

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fd2805fcbb98/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fd2805fcbb98043679e0ce2ccd112134a767df7010acc24c395cffd73dbc56d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_RANSOM_ContiCrypter Create hunting rule
Author:	James Quinn, Binary Defense
Description:	Signature for a crypter associated with Conti

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/374889/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample