MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffeb7d694c82c2dfa5344d082b61386561202ccde69fc11257916b0da515c922. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash: ffeb7d694c82c2dfa5344d082b61386561202ccde69fc11257916b0da515c922
SHA3-384 hash: f50b76fcdda4cbae1546ac307d5cb30b2eadb31b344bb3a4da7375669e68fe032f8f8dd0403ba28360dfaab1f9b63fa0
SHA1 hash: 52a95894b8551743058a1bfe56e38919f43819c4
MD5 hash: 2d2e2831ae6351fbee7810bfc0d10955
humanhash: stairway-seventeen-artist-xray
File name:账号密码表.xls.exe
Download: download sample
Signature CobaltStrike
File size:1'553'920 bytes
First seen:2022-08-05 07:50:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (70 x BitRAT, 41 x RedLineStealer, 20 x TriumphLoader)
ssdeep 24576:GW4sP/ippqFg0wSEn/v3KY1EoylYBAOL3jiVFToMK/GoFabCWx5h/xz1iWnmTlT:7xIqFPEH6YWooYBAOL3GVFTs/DFiCMNq
Threatray 2'182 similar samples on MalwareBazaar
TLSH T1CB7533D17703E012D5B611702AA38B36556FFC2BEE38574AAF11BF2F1D317A68858A42
TrID 86.3% (.EXE) UPX compressed Win64 Executable (70117/5/12)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
2.4% (.EXE) Generic Win/DOS Executable (2002/3)
2.4% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 78e4c4e4c4d4ccd4 (1 x CobaltStrike)
Reporter @obfusor
Tags:CobaltStrike exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
259
Origin country :
HK HK
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
账号密码表.xls.exe
Verdict:
No threats detected
Analysis date:
2022-08-05 07:54:01 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Running batch commands
DNS request
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Creating a window
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Status:
Malicious
First seen:
2022-07-20 16:30:28 UTC
File Type:
PE+ (Exe)
Extracted files:
41
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Behaviour
Checks processor information in registry
Enumerates system info in registry
GoLang User-Agent
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
UPX packed file
Unpacked files
SH256 hash:
ffeb7d694c82c2dfa5344d082b61386561202ccde69fc11257916b0da515c922
MD5 hash:
2d2e2831ae6351fbee7810bfc0d10955
SHA1 hash:
52a95894b8551743058a1bfe56e38919f43819c4

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:shad0w_beacon_16June
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments