MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2e5364644255681ae085c113b6d88e4d3bc1db18d3ef8c06b8264194a39687e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
CobaltStrike
Vendor detections: 12
| SHA256 hash: | 2e5364644255681ae085c113b6d88e4d3bc1db18d3ef8c06b8264194a39687e9 |
|---|---|
| SHA3-384 hash: | c810388e5942a088edf657178ecf396cd2d1677c9bdf15f1656164453378c76d6664259705fd6472e0faf95574f72439 |
| SHA1 hash: | 00b9b0cc846add4164dde07a4b03e357118a3126 |
| MD5 hash: | e178cc94333d536aaf159b641ab71b2c |
| humanhash: | blue-bravo-mobile-bacon |
| File name: | 绩效系统员工操作手册-目标管理+绩效管理_云公司考核者版.exe |
| Download: | download sample |
| Signature | CobaltStrike |
| File size: | 4'654'592 bytes |
| First seen: | 2022-05-24 09:15:47 UTC |
| Last seen: | 2022-05-24 09:54:39 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 62a5dd25af85564e3aeb55c6407225e3 (2 x CobaltStrike) |
| ssdeep | 98304:S0+E9G0Iv7XF4UNLQPrGR4C3hrx+LWGXHt9lOYN:fX9G0Iv714QX2C37+LWG3tH |
| Threatray | 1'416 similar samples on MalwareBazaar |
| TLSH | T1C526CF1AAB6508E4DCB6C2348A565633E7B1BC1527716BEB03A0F6771F33AD11E3A704 |
| TrID | 48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1) |
| File icon (PE): |  |
| dhash icon | 30828c988c868a30 (2 x BluStealer, 2 x CobaltStrike) |
| Reporter |  obfusor |
| Tags: | CobaltStrike exe |
Intelligence
File Origin
# of uploads :
2
# of downloads :
709
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
two-samplesss.zip
Verdict:
Malicious activity
Analysis date:
2022-05-24 08:19:44 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Suspicious
Maliciousness:
Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP POST request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
expand.exe greyware packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Verdict:
Malicious
Result
Threat name:
CobaltStrike
Detection:
malicious
Classification:
troj
Score:
76 / 100
Signature
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found malware configuration
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Status:
Suspicious
First seen:
2022-05-24 09:16:11 UTC
File Type:
PE+ (Exe)
Extracted files:
150
AV detection:
11 of 26 (42.31%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
cobaltstrike
Similar samples:
+ 1'406 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
7/10
Tags:
n/a
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
2e5364644255681ae085c113b6d88e4d3bc1db18d3ef8c06b8264194a39687e9
MD5 hash:
e178cc94333d536aaf159b641ab71b2c
SHA1 hash:
00b9b0cc846add4164dde07a4b03e357118a3126
Detections:
win_mail_o_auto
Malware family:
CobaltStrike
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CobaltStrikeBeacon |
|---|---|
| Author: | ditekshen, enzo & Elastic |
| Description: | Cobalt Strike Beacon Payload |
| Rule name: | CobaltStrike_C2_Encoded_XOR_Config_Indicator |
|---|---|
| Author: | yara@s3c.za.net |
| Description: | Detects CobaltStrike C2 encoded profile configuration |
| Rule name: | CobaltStrike_MZ_Launcher |
|---|---|
| Author: | yara@s3c.za.net |
| Description: | Detects CobaltStrike MZ header ReflectiveLoader launcher |
| Rule name: | CobaltStrike_Sleep_Decoder_Indicator |
|---|---|
| Author: | yara@s3c.za.net |
| Description: | Detects CobaltStrike sleep_mask decoder |
| Rule name: | HKTL_CobaltStrike_Beacon_4_2_Decrypt |
|---|---|
| Author: | Elastic |
| Description: | Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2 |
| Reference: | https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures |
| Rule name: | HKTL_CobaltStrike_Beacon_Strings |
|---|---|
| Author: | Elastic |
| Description: | Identifies strings used in Cobalt Strike Beacon DLL |
| Reference: | https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures |
| Rule name: | HKTL_Meterpreter_inMemory |
|---|---|
| Author: | netbiosX, Florian Roth |
| Description: | Detects Meterpreter in-memory |
| Reference: | https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ |
| Rule name: | HKTL_Win_CobaltStrike |
|---|---|
| Author: | threatintel@volexity.com |
| Description: | The CobaltStrike malware family. |
| Reference: | https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ |
| Rule name: | MALW_cobaltrike |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Rule to detect CobaltStrike beacon |
| Reference: | https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike |
| Rule name: | ReflectiveLoader |
|---|---|
| Author: | Florian Roth |
| Description: | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended |
| Reference: | Internal Research |
| Rule name: | SUSP_XORed_Mozilla |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious XORed keyword - Mozilla/5.0 |
| Reference: | Internal Research |
| Rule name: | SUSP_XORed_Mozilla_RID2DB4 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious XORed keyword - Mozilla/5.0 |
| Reference: | Internal Research |
| Rule name: | Trojan_Raw_Generic_4 |
|---|---|
| Author: | FireEye |
| Reference: | https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html |
| Rule name: | win_cobalt_strike_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.cobalt_strike. |
| Rule name: | win_mail_o_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.mail_o. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.