MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbef3369c686529f60b2e1cdf5090f31122f5d6a53e6112eea4078a805e5c455. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbef3369c686529f60b2e1cdf5090f31122f5d6a53e6112eea4078a805e5c455
SHA3-384 hash: 0273ed3cafbefc7a99c1cef00949948ab2e366d0f21965ac444942bf9bc3b5c06d10548ddf18a96e23566ff3de51dfd9
SHA1 hash: e5e7b636179ff9d586bc53424c46b9ed6a6f8937
MD5 hash: 7a4476155000dc40b1fd5e072cbda368
humanhash: twenty-eighteen-magnesium-asparagus
File name:7a4476155000dc40b1fd5e072cbda368.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:323'752 bytes
First seen:2021-06-24 06:14:50 UTC
Last seen:2021-06-24 06:57:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c621f3d98c71555d43763430f784fc88 (1 x CobaltStrike)
ssdeep 6144:U1f8dOciaoAkpbnFumhUfgIY3gpeysqekOhPeLGrmLP:qf8oaUpbyHIqKOGr+
Threatray 314 similar samples on MalwareBazaar
TLSH 4064C109DA5F8537DBFE93BC10A9B57B880A0A08B9F737D537B14064DA90B071CEB265
Reporter abuse_ch
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
489
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7a4476155000dc40b1fd5e072cbda368.exe
Verdict:
Malicious activity
Analysis date:
2021-06-24 06:15:56 UTC
Tags:
trojan cobaltstrike
Link:
https://app.any.run/tasks/3864d9a7-a026-4590-b8de-3f541a0c4405

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrike
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167840/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.76033.6060.11379.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/948cbaf5-647c-4178-9b44-358b1bd6b590
Result
Threat name:
CryptOne CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807177
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected CryptOne packer
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dbef3369c686529f60b2e1cdf5090f31122f5d6a53e6112eea4078a805e5c455/
Threat name:
Win32.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 01:08:49 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pxtg2ogqzjj6yfs4hg7kcipgejc6xlkkptbclxkib4kqbpfyrkq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0addfafe0e5f26952199b892cd6e822800e25cde1c6738fef6aac32d01d42704
CobaltStrike
0ce6ad36ff912286baa98105cbccab3457b2b0fda0796b51f898b695146c4022
CobaltStrike
37a88c00460beed5e1ba3ff00493934c8f8fb0e692b368691d3856454a905073
CobaltStrike
5b11998f63458e0c8f86b101bfa4c08d4d523417dd4763c65712b73e5258d434
CobaltStrike
b6868bf6126b8450e2863450959b4d8889d96e10e0f472de0d7269b3c8eff4e3
CobaltStrike
c19335daa94f85852468d5dad1fb9cf93bf121aee3eac8203180d88479965d94
CobaltStrike
c4c0bee389392c0677fd977cac9eaa868448c42d8b90281872cdf5b804e0525c
CobaltStrike
cc9a713b0db799bb4be1d74f9ef2d043985218e94d5004e5c42a4996dfb33131
CobaltStrike
d764ee64bc0d769c20c4823f0981ba1bf17e46c38812cd5036f0e2cfadb23b61
CobaltStrike
d859175475c077d7193ce0f1ee703ee4be5dd0804c45da6cbd447b7909c9a09f
CobaltStrike
+ 304 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:1359593325 backdoor cryptone packer trojan
Link:
https://tria.ge/reports/210624-waxtp5chrj/
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://152.89.247.80:80/IE9CompatViewList.xml
Unpacked files
SH256 hash:
b01ef755aca71559f4ab700c94e12615feab83985df908b7d92dd229fd4ae55a
MD5 hash:
07f5fff8dcf7dcf030efaad5ad7d4d7c
SHA1 hash:
afc26f1cfe58a9b7b42a6c3a9a2a219b69d80121
Link:
https://www.unpac.me/results/72d960e8-682e-4fba-8c6c-faf596d9b190/
SH256 hash:
b69e319a094c4b7d2a671e50f432df080c34c3417a49154d9ca0ea1badb497f5
MD5 hash:
96153e2da965606b90b5941e11ca9053
SHA1 hash:
aa76bd11e4bf3f6f91d34133751a67a9c3afaa2a
Link:
https://www.unpac.me/results/72d960e8-682e-4fba-8c6c-faf596d9b190/
SH256 hash:
dbef3369c686529f60b2e1cdf5090f31122f5d6a53e6112eea4078a805e5c455
MD5 hash:
7a4476155000dc40b1fd5e072cbda368
SHA1 hash:
e5e7b636179ff9d586bc53424c46b9ed6a6f8937
Link:
https://www.unpac.me/results/72d960e8-682e-4fba-8c6c-faf596d9b190/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbef3369c686529f60b2e1cdf5090f31122f5d6a53e6112eea4078a805e5c455

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:MALWARE_Win_CobaltStrike
Create hunting rule
Author:ditekSHen
Description:CobaltStrike payload
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Trojan_Win_Generic_101
Create hunting rule
Author:FireEye
Description:Detects FireEye Windows trojan
Reference:https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe dbef3369c686529f60b2e1cdf5090f31122f5d6a53e6112eea4078a805e5c455

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/167840/
  
URLhaus
https://urlhaus.abuse.ch/url/1392735/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1392739/

Comments