MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24ac33d5e4749a6ba9f51670dbf834ed6b9190293b3b892d367a69cafeb3c320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24ac33d5e4749a6ba9f51670dbf834ed6b9190293b3b892d367a69cafeb3c320
SHA3-384 hash: 7b4f7a73604154652ad267145c40eb74c8428a8a8ec2228b2c0d905ea88c5ee8c279c6a768e5438015ebdb7503bd1f1e
SHA1 hash: 0f14ee6fe4ed1fec8a045920c29bab03e1b10548
MD5 hash: fdf65d343b366ea4057802441556dd5a
humanhash: avocado-saturn-uniform-failed
File name:TwS3Vb0k.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:254'976 bytes
First seen:2020-06-19 15:15:21 UTC
Last seen:2020-06-19 15:36:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b83e91ab4a92f92a2d198ceb6c904dd8 (7 x CobaltStrike)
ssdeep 3072:LWFnqiDf6zVdINf8lR7xOJ2Ek90lTnrGtcrC9NZdan9cUFBYJk866pvXRI:LWFap5MwATrOQGNZdatBV6H
Threatray 23 similar samples on MalwareBazaar
TLSH 8744594536E03CF9EC67D27AC6534617EFB27C224630D71F03A44A9A4F277A1A22D762
Reporter cocaman
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9654/
Detection(s):
SecuriteInfo.com.Variant.Razy.622210.18329.4723.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win64.PUA.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2020-06-19 15:36:09 UTC
File Type:
PE+ (Dll)
AV detection:
22 of 31 (70.97%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eswdhvpeosngxkpvczynx6bu5vvzdebjhm5ysljwpju4v7vtymqa._file
Verdict:
malicious
Similar samples:
129aefff5a7c2da45e7c0afe8bfbe3a16c437328ee569640d0c90a7c91de0dd7
CobaltStrike
32b8ffac3250444904e6af3fca1f6408e684f11ad59e6c46887cf44f5de19e6b
CobaltStrike
3f6a83e5c484e9d495e3f29ffcedc2881690d54a7058e5c677e3feda66ed96fe
CobaltStrike
4d71f1eab01045de9ae76ea248be7746bad70c12ad977eeb6e8f8e46bbce6395
CobaltStrike
77ca67665054e0f4b8f8c6ab829a31c561aa019c7709b780bf3aca26d492f7ba
CobaltStrike
88e9a52bdbeaf14d3ec556315c72cf3be8fe8c687e1a3100ef1883f6f3c0f29a
CobaltStrike
a1d9d1784959597859b70af8479ecb3a5eb577be1bcf10dc2b57fd7beb3ba874
CobaltStrike
bd50fceeb89d220f6710030d3aacbc2427c5796d9b7f3dee8a362f4e7d4113ef
CobaltStrike
c380f48e3d649b6a44b05134108a8c79536f289240e9ed9135e35dadffb6c350
CobaltStrike
f4d129a8289b89a4a8d385d89702bae3c7b5fcf9d32c3b1eee61bc0245bfb99a
CobaltStrike
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-ekrf58v6mj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/9654/

Comments