MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 013bb5ea2d163409cdad34f882c151db05da4e4dcd50fe68049f27e6e4454694. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	013bb5ea2d163409cdad34f882c151db05da4e4dcd50fe68049f27e6e4454694
SHA3-384 hash:	291e2c760b2575864af4386621b7e85993f4b1364d72090d8e7a8892810f3cd5e73402e1e572a0922b075e189951f104
SHA1 hash:	c311c6a3bbb7a3cdaea4aff121a57eb928f3d0a6
MD5 hash:	a7385206a51f983247ee46f08d750167
humanhash:	india-ink-sweet-cold
File name:	a7385206a51f983247ee46f08d750167.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	315'392 bytes
First seen:	2020-11-19 13:14:48 UTC
Last seen:	2020-11-19 15:10:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ff0ea450d7ab5ffadc29a9ae2b73dfcd (1 x CobaltStrike)
ssdeep	6144:EaFoWT6kRjQBVQ5WcqPM+xK8IxC4jZY59xc:FNjQBs1qPMGK8rl59W
Threatray	207 similar samples on MalwareBazaar
TLSH	2B646C4BF482F472F8E2013D0DB5DB9A95687C206B25A2733EC99E5E1A7C0D385776C2
Reporter	abuse_ch
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Inject3.2700.21366.8667.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/542903

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/013bb5ea2d163409cdad34f882c151db05da4e4dcd50fe68049f27e6e4454694/

Threat name:

Win32.Trojan.Malrep

Status:

Malicious

First seen:

2020-11-10 07:28:00 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ae53l2rncy2attnngt4ifqkr3mc5utsnzvip42aet4t6nzcfi2ka._file

Verdict:

malicious

Label(s):

cobaltstrike

gozi

CobaltStrike

53c9abf3e3d86b1d9d633aff273a70f11e83858d3fdb362108395f170bcdebc4

CobaltStrike

53f90f56eddfb8953d72e1d20dde2b97d40021318fd32bf30710d24eeb4c4a30

CobaltStrike

5cd1e21eef3c4ed694dc429b88b403995244060feb4fdea12473aff4d782e1f5

CobaltStrike

7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0

CobaltStrike

843ecb8f65383d379efac41850e2962630597fbb9d327215268c480e896fa16a

CobaltStrike

8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b

CobaltStrike

8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081

CobaltStrike

b568a4ca18fce49b465d0db8697640d556f579932db0315398a810140c66f0db

CobaltStrike

daf02e94d294b29896ebfcab021f4184a232617d876f4a8745d10d803a170775

CobaltStrike

+ 197 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:metasploit backdoor trojan

Link:

https://tria.ge/reports/201119-bmh23kxgle/

Behaviour

MetaSploit

Malware Config

C2 Extraction:

http://tcpsessionsconnect.com:443/sKJT

Unpacked files

SH256 hash:

013bb5ea2d163409cdad34f882c151db05da4e4dcd50fe68049f27e6e4454694

MD5 hash:

a7385206a51f983247ee46f08d750167

SHA1 hash:

c311c6a3bbb7a3cdaea4aff121a57eb928f3d0a6

Link:

https://www.unpac.me/results/2ecba748-3f9c-4973-bab0-558a6c9c47fc/

SH256 hash:

a33adfdd577a61619e967180346e03a4cd76a9d3974749b82beebd8b1a6959f1

MD5 hash:

32b92009f00328a3388c8c32f7faa49e

SHA1 hash:

19489713b55466a66dea7dafe47439d77436ca26

Link:

https://www.unpac.me/results/2ecba748-3f9c-4973-bab0-558a6c9c47fc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/013bb5ea2d163409cdad34f882c151db05da4e4dcd50fe68049f27e6e4454694

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	enzo
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_Unmodifed_Beacon Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects unmodified CobaltStrike beacon DLL

Rule name:	crime_win32_csbeacon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Cobalt Strike loader
Reference:	https://twitter.com/VK_Intel/status/1239632822358474753

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	ReflectiveLoader Create hunting rule
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	WiltedTulip_ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:	http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

exe 013bb5ea2d163409cdad34f882c151db05da4e4dcd50fe68049f27e6e4454694

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/832564/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample