MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0
SHA3-384 hash: 71656990521e9636899d74befb3c23c52ceeee764c1c8a2cc10f1d0e010da2f7746a3451995f1e875a006c8e45334217
SHA1 hash: 8e8bd2ba6350b86d06608d1a606c5ce496065349
MD5 hash: dd79e8677460856214ab5845904b43dd
humanhash: king-nitrogen-cold-thirteen
File name:tezehu.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:734'720 bytes
First seen:2020-11-13 21:56:45 UTC
Last seen:2024-07-24 16:19:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b9222e272e472e854b8d853512b1aeaf (1 x CobaltStrike)
ssdeep 12288:W+wuot3UnIwbsdWi1Bx24W4isgNgOgKIZ6XuTTz7PwpkGB6AccXa:LuUIwgdWQLi4iNNg3xZ6XyTwaGB6Psa
Threatray 187 similar samples on MalwareBazaar
TLSH E3F401407B89C577D26A1930CC65DAFC86287E42CF649CEB32D57F2F3A344815A3AE25
Reporter malware_traffic
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.Meterpreter.146.4218.15140.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534255
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0/
Threat name:
Win32.Trojan.Slepak
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 01:40:36 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=paa3ox2ulqsm6752r2mnyrif2iobuep5ekgqi2c7ofgsuc7pqpya._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
gozi
Create hunting rule
Similar samples:
1ac354c01e2acdecef6b871f3eee4fe919487b2ca740471fefce8dd3273dde87
CobaltStrike
2d797a098d2c0e164f5bfe29e3ae282f873709270f05950a3dc76d65f1acf47c
CobaltStrike
53f90f56eddfb8953d72e1d20dde2b97d40021318fd32bf30710d24eeb4c4a30
CobaltStrike
8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b
CobaltStrike
8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081
CobaltStrike
a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78
CobaltStrike
ad42170cf53ef7e0ea91196fedd5f8ae7665e207f9de002c63562f4b1db57717
CobaltStrike
b568a4ca18fce49b465d0db8697640d556f579932db0315398a810140c66f0db
CobaltStrike
d0c88b0ca2a78ef90470498fa686ad63e3473a4fc1337b2850461ecc07bd5b34
CobaltStrike
d1a71b6a8691f72eb133570b9e90e8de061a652a35e3b4039d0875bbc0f76f1c
CobaltStrike
+ 177 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201113-4sqamrhj6e/
Unpacked files
SH256 hash:
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0
MD5 hash:
dd79e8677460856214ab5845904b43dd
SHA1 hash:
8e8bd2ba6350b86d06608d1a606c5ce496065349
Link:
https://www.unpac.me/results/5c887479-07e9-4647-994e-4d9d5a8dd5bd/
SH256 hash:
39f91699ab4ac04404e48a31e848a4be3611b942829f4357f3dd049e0468b915
MD5 hash:
f98e055352101cfd956632ba908ac7c6
SHA1 hash:
b9d8ad40a560e0e04e943934f170ceeee5c78437
Link:
https://www.unpac.me/results/5c887479-07e9-4647-994e-4d9d5a8dd5bd/
SH256 hash:
c505d0290074bf433c713fec59cc3f5e5ca7c61c699d8da85a2f4ff27cf05a52
MD5 hash:
65d385639ac515760fa93893874a12f0
SHA1 hash:
f1ccd24472605c46023bcf8694aaca70e2775c95
Link:
https://www.unpac.me/results/5c887479-07e9-4647-994e-4d9d5a8dd5bd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/814980/
  
Delivery method
Distributed via web download

Comments