MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02b2b13533ce7a1875b458c8843c38cfc2123c504d4058fb1d343761d8fafd67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	02b2b13533ce7a1875b458c8843c38cfc2123c504d4058fb1d343761d8fafd67
SHA3-384 hash:	f83b74d70fcb84c82ae95b38a78c93eaa0aca9756070ffda437ad2937dc0bb4cf5a3f121df0a999bdad7d4bb27c33bcf
SHA1 hash:	65465e3f18fa5348bd6cafbe1ee0bd1616855fbb
MD5 hash:	59a194959423ed4df431a7270ab134ec
humanhash:	papa-california-batman-sink
File name:	59a194959423ed4df431a7270ab134ec.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	5'029'376 bytes
First seen:	2023-07-11 09:00:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 36 x Vidar)
ssdeep	49152:fckU6L78rb/T0vO90d7HjmAFd4A64nsfJdeJSqWesvi/B76Gsm5jYkZsIgRRYMz4:dHuZ12Nlly
Threatray	398 similar samples on MalwareBazaar
TLSH	T14036AF72354E7CB6EEDD693040112E042D7C7D8B6B2423CB7B49B1BA267B6D48D38B64
gimphash	9b38b0713a2ea5e92150fb853283ae81037b6baba303a5748087b548d767fef0
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	59a88d8c6a4a0118 (9 x CobaltStrike, 3 x PureCrypter, 1 x RemcosRAT)
Reporter	obfusor
Tags:	Cobalt Strike exe

Intelligence

File Origin

# of uploads :

# of downloads :

295

Origin country :

Vendor Threat Intelligence

Malware family:

cobaltstrike

ID:

File name:

59a194959423ed4df431a7270ab134ec.exe

Verdict:

Malicious activity

Analysis date:

2023-07-11 09:02:42 UTC

Tags:

cobaltstrike

Link:

https://app.any.run/tasks/53ec8141-5e27-462e-b36e-cf37b69172c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/415421/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.8501.21017.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file

Creating a process from a recently created file

Running batch commands

Сreating synchronization primitives

Sending a custom TCP request

Launching a process

Searching for synchronization primitives

Creating a window

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/97108/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

golang packed

Link:

https://www.filescan.io/uploads/64ad1a4fb1d2dc145c1c40a3/reports/c0a24690-5048-40f6-b414-e3c707868e63/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/02b2b13533ce7a1875b458c8843c38cfc2123c504d4058fb1d343761d8fafd67

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/211dd549-17a4-4eb5-ad92-99d63fb6498a

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1270705

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02b2b13533ce7a1875b458c8843c38cfc2123c504d4058fb1d343761d8fafd67/

Threat name:

Win64.Backdoor.CobaltStrikeBeacon

Status:

Suspicious

First seen:

2023-07-11 09:01:06 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=akzlcnjtzz5bq5nuldeiipbyz7bbepcqjvafr6y5gq3wdwh27vtq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

22a2d7af185892d400b7b98c62dedaf8ff9bfdf65fcc7c6c20d4ca102452db6d

CobaltStrike

2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f

CobaltStrike

30ae355e70bf77c5811632438d6a8c6a0882a3acfaa28210ea351f4d5ed5212e

CobaltStrike

73e5ae0c85b89a79d76a050e7bc659ba519cb784ea431cd1d0c399436c4031cf

CobaltStrike

7e598e4c17cfc92223c05bab3dc60f0b6325501e58ef34090e635557f29eef44

CobaltStrike

c6f0810b4ca4c2e70a07eddcbd14459e875deced05f5619dfd4df6f49a2130a9

CobaltStrike

+ 388 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:100000000 backdoor trojan

Link:

https://tria.ge/reports/230711-kyv7rsfh63/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Enumerates physical storage devices

Drops file in Windows directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Cobaltstrike

Malware Config

C2 Extraction:

http://129.150.43.163:1443/poll

Unpacked files

SH256 hash:

02b2b13533ce7a1875b458c8843c38cfc2123c504d4058fb1d343761d8fafd67

MD5 hash:

59a194959423ed4df431a7270ab134ec

SHA1 hash:

65465e3f18fa5348bd6cafbe1ee0bd1616855fbb

Link:

https://www.unpac.me/results/6a0ce12a-1b03-4b3b-b6cf-1ff096f4bc11/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/415421/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample