MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 756aa20c5c2541234854a2067ecdd210695615da7b2b2901bbb290200673725e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	756aa20c5c2541234854a2067ecdd210695615da7b2b2901bbb290200673725e
SHA3-384 hash:	08786b001a2ba4e4ab354c3c7607f749cd79b462ffd72cd28807fd97866afd8efbace225f33ccedaa2c53830d51af8ac
SHA1 hash:	72a9860bea1a246c3cea0acf8482d9339f7623be
MD5 hash:	e68194d95f108792bfe14a5e3e38fef6
humanhash:	oxygen-sixteen-mexico-timing
File name:	cs.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	226'816 bytes
First seen:	2021-09-26 08:31:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep	3072:6nCWwT7UUt8DIF6nBF3cFosj5SYTzXf6pHFqd2ggW8Th9qGLvKA:3VPAOQF3iosNSKzXf6plqd2gQmGu
Threatray	544 similar samples on MalwareBazaar
TLSH	T1C724F1F18C2A07A9D7C223B01022BC697E36471FD67C61F44566AC4FE7A74FA1602AF5
Reporter	drb_ra
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

599

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cobaltstrike_shellcode.exe

Verdict:

No threats detected

Analysis date:

2021-09-26 08:31:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3e623982-3e47-476f-8446-ebec941c5ffa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/191743/

Detection(s):

SecuriteInfo.com.Crypt5.BLLV.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/76ff7514-479a-459e-9c95-dd16be8a828b

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/858379

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/756aa20c5c2541234854a2067ecdd210695615da7b2b2901bbb290200673725e/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-09-26 08:32:05 UTC

AV detection:

38 of 45 (84.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ovvkedc4evasgscuuidh5toscbuvmfo2pmvssan3wkicabttojpa._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

32d46b7131714c02c8668a1b821b4b12cd37f6597a56eb01430c22e315c34638

CobaltStrike

61a0bca8460972abed1f283c9e8a78e43e17e5177cc3a826d8d6beb4fcff14c2

CobaltStrike

7703da44bf261e65652af462d3d151498066a2dc315a9f6496204e51099b3e65

CobaltStrike

840dd55418bf2bd428f401ee565f08aef2c92eab8b4709158a845dd981dc090e

CobaltStrike

c1dd2c50a5ca07f1664a0950bcc93b2999bf32b5d11848f368130a43a364cf82

CobaltStrike

+ 534 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1252603363 backdoor suricata trojan

Link:

https://tria.ge/reports/210926-kfas4seeem/

Behaviour

Cobaltstrike

suricata: ET MALWARE Cobalt Strike Beacon Activity (GET)

suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2

suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

Malware Config

C2 Extraction:

http://monitoring360.microsoft.com:443/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

03e2ed7e07153a1a0e9bd3104030c10d00ff243c5f1e2da08dee65dbeadb87c9

MD5 hash:

c0a396462d8de7c6a69e440be4554a15

SHA1 hash:

b494a7b1551a5551a9bef1d250b67d09f9794bfc

Link:

https://www.unpac.me/results/1a561f08-7149-4c34-8932-c7b3f1ab5ced/

SH256 hash:

756aa20c5c2541234854a2067ecdd210695615da7b2b2901bbb290200673725e

MD5 hash:

e68194d95f108792bfe14a5e3e38fef6

SHA1 hash:

72a9860bea1a246c3cea0acf8482d9339f7623be

Link:

https://www.unpac.me/results/1a561f08-7149-4c34-8932-c7b3f1ab5ced/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/756aa20c5c2541234854a2067ecdd210695615da7b2b2901bbb290200673725e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_Beacon_XORed_x86 Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	Cobaltbaltstrike_strike_Payload_XORed Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5 Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in CobaltStrike shellcode
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Rule name:	HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5_RID361D Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in malware samples in APT report in DarkHydrus
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191743/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample