MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77ca67665054e0f4b8f8c6ab829a31c561aa019c7709b780bf3aca26d492f7ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77ca67665054e0f4b8f8c6ab829a31c561aa019c7709b780bf3aca26d492f7ba
SHA3-384 hash: be2c63e4415165a47c204d2d7176b62e8b18c98fb57e12011de57f70abb7b3fa2d1a96c2b458c86ec5a244806aad0a37
SHA1 hash: 04021e90bc3887acfe5c2c8c9b7bc5ce7c71fc2d
MD5 hash: b2137cfad309ffdfd6a6e46c77ce3c60
humanhash: paris-september-carbon-illinois
File name:77ca67665054e0f4b8f8c6ab829a31c561aa019c7709b780bf3aca26d492f7ba
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:263'680 bytes
First seen:2020-08-31 13:12:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 66d2443578cf18b01ff8483f4f361bfb (20 x CobaltStrike)
ssdeep 3072:T7gxjmVNvK8UNiHIw7zGy3fVMzJa1KGhDVTzD49vPWO/M0c0gHYJqDKUs:T7griHTHPKz0RTH83h/MDHm
Threatray 16 similar samples on MalwareBazaar
TLSH AE445A4532E0CCB5EC67D739CAA7461EE7B37CE64630D71F03644A5A4F273A1A22A352
Reporter JAMESWT_WT
Tags:49.235.166.224

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53568/
Detection(s):
Win.Trojan.CobaltStrike-8091534-0
Create hunting rule

Win.Tool.CobaltStrike-6336852-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/455526
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280147 Sample: rYtZFx1xmq Startdate: 31/08/2020 Architecture: WINDOWS Score: 76 12 Malicious sample detected (through community Yara rule) 2->12 14 Antivirus / Scanner detection for submitted sample 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 2 other signatures 2->18 6 loaddll64.exe 1 2->6         started        process3 process4 8 rundll32.exe 6->8         started        10 rundll32.exe 6->10         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77ca67665054e0f4b8f8c6ab829a31c561aa019c7709b780bf3aca26d492f7ba/
Threat name:
Win64.PUA.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2020-08-27 17:19:46 UTC
File Type:
PE+ (Dll)
AV detection:
23 of 29 (79.31%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7fgozsqktqpjohyy2vyfgrryvq2uam4o4e3paf7hlfcnves665a._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
129aefff5a7c2da45e7c0afe8bfbe3a16c437328ee569640d0c90a7c91de0dd7
CobaltStrike
2ce0a491dd1a778d1a0beee30cb52bfd3df11262d9783533c931c60484a4adb0
CobaltStrike
32b8ffac3250444904e6af3fca1f6408e684f11ad59e6c46887cf44f5de19e6b
CobaltStrike
39a7738c00d6a5dcc4709ad2e3f0b57565f7dc0325bdb5942c3e696c5736bc5a
CobaltStrike
67e4e4eb893a2386e782d4d4c7a44eaf70388cad0bb32f30fa3a06e466f583fd
CobaltStrike
a1d9d1784959597859b70af8479ecb3a5eb577be1bcf10dc2b57fd7beb3ba874
CobaltStrike
bd50fceeb89d220f6710030d3aacbc2427c5796d9b7f3dee8a362f4e7d4113ef
CobaltStrike
c380f48e3d649b6a44b05134108a8c79536f289240e9ed9135e35dadffb6c350
CobaltStrike
ec2f156359e30aaf1929dff8f4b97deba32fe642d7fb8a76ba2346605c2d94d0
CobaltStrike
f4d129a8289b89a4a8d385d89702bae3c7b5fcf9d32c3b1eee61bc0245bfb99a
CobaltStrike
+ 6 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike
Link:
https://tria.ge/reports/200831-axndgxytws/
Behaviour
Cobaltstrike family
Malware Config
C2 Extraction:
http://49.235.166.224:12406/IE9CompatViewList.xml
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CobaltStrike
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77ca67665054e0f4b8f8c6ab829a31c561aa019c7709b780bf3aca26d492f7ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_CobaltStrike_Beacon_Indicator
Create hunting rule
Author:JPCERT
Description:Detects CobaltStrike beacons
Reference:https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrike
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect CobaltStrike Beacon in memory
Reference:https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
Rule name:CobaltStrike_C2_Encoded_Config_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike C2 encoded profile configuration
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:MALW_cobaltrike
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect CobaltStrike beacon
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53568/

Comments