MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2231fe26243e074c03019cb2e2a4f25c0ef60bc9e82022f3e88fc77c4bf18102. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 11


Intelligence 11 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2231fe26243e074c03019cb2e2a4f25c0ef60bc9e82022f3e88fc77c4bf18102
SHA3-384 hash: 8ffd0ce2dd4df95320f2a995db355460ed64e7fcc985d496a6b9e53336e93b1b0b45d8242b2c96588664f10fb759071e
SHA1 hash: f6c0b002532e2aaddf9d5e0948c7173f54ef6b5e
MD5 hash: b1ce868636e96a555f1076d7224b3083
humanhash: nevada-shade-cat-uncle
File name:b1ce868636e96a555f1076d7224b3083.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:284'672 bytes
First seen:2021-06-06 15:32:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dc25ee78e2ef4d36faa0badf1e7461c9 (118 x CobaltStrike, 5 x Cobalt Strike)
ssdeep 6144:DRlvlnmPG9j7RoTcqZ2SV4wVg2w9HJoV3jzrLBC:D7tn/p4cqZ2SyrHJodjzf4
Threatray 317 similar samples on MalwareBazaar
TLSH CB54BE21985A3890D5B6C5F41C5FF627DFD41F2984976CA2BEDE82F02863191F8A1F2C
Reporter abuse_ch
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b1ce868636e96a555f1076d7224b3083.exe
Verdict:
Malicious activity
Analysis date:
2021-06-06 15:36:33 UTC
Tags:
trojan cobaltstrike
Link:
https://app.any.run/tasks/0d58c87a-c449-44d7-9f03-cc727d95c507

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164762/
Detection(s):
Win.Trojan.CobaltStrike-7899872-1
Create hunting rule

Win.Countermeasure.LoaderWinGeneric-9804845-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797689
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected CobaltStrike
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2231fe26243e074c03019cb2e2a4f25c0ef60bc9e82022f3e88fc77c4bf18102/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-06-06 15:33:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eiy74jrehyduyaybtszofjhslqhpmc6j5aqcf47ir7dxys7rqeba._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
064924bf49bd1809d90df0169eb6e354ce8f5b88100bb39b89460c480121fbeb
CobaltStrike
0e30a27d44484b9baa56e7b6050581e3edc3bd1b426057c85824d0cac493a3f1
CobaltStrike
2d797a098d2c0e164f5bfe29e3ae282f873709270f05950a3dc76d65f1acf47c
CobaltStrike
2f8571d423e2af665fecf616c284491982acd4d3ab59a4ceb0790fa713266376
CobaltStrike
53c9abf3e3d86b1d9d633aff273a70f11e83858d3fdb362108395f170bcdebc4
CobaltStrike
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0
CobaltStrike
8af8a2aa6d8db7a9bf93620814017b5296713963b74aba38eb7a35e62dcb7d3e
CobaltStrike
8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081
CobaltStrike
a2bcce439cb511eca635e14943b916e86a121c7062ac978437d2d080a54fff26
CobaltStrike
f4ca63aeb4e3246c5d923942497d650bc3920c9fbc78a330ecf9d7db67e0cb8f
CobaltStrike
+ 307 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:1359593325 backdoor trojan
Link:
https://tria.ge/reports/210606-6lzh3jlhtn/
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://121.4.243.112:8089/activity
Unpacked files
SH256 hash:
496406ad84bfa9962404749be66bf3a6c8ce10ffddf54ac99be0f3bfc609b3ec
MD5 hash:
bd79897ea083124784f7c3d1ae8c3c31
SHA1 hash:
c2efa1ad536fc6515960d84557a376cffdac4be9
Detections:
win_cobalt_strike_auto
Create hunting rule
Link:
https://www.unpac.me/results/91ee1ddf-a44e-48d8-94c5-0cb718ba82f8/
SH256 hash:
2231fe26243e074c03019cb2e2a4f25c0ef60bc9e82022f3e88fc77c4bf18102
MD5 hash:
b1ce868636e96a555f1076d7224b3083
SHA1 hash:
f6c0b002532e2aaddf9d5e0948c7173f54ef6b5e
Link:
https://www.unpac.me/results/91ee1ddf-a44e-48d8-94c5-0cb718ba82f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2231fe26243e074c03019cb2e2a4f25c0ef60bc9e82022f3e88fc77c4bf18102

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:MALWARE_Win_CobaltStrike
Create hunting rule
Author:ditekSHen
Description:CobaltStrike payload
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 2231fe26243e074c03019cb2e2a4f25c0ef60bc9e82022f3e88fc77c4bf18102

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1332685/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164762/

Comments