MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cc7d4ede78c40918f18f2a409fab83fbce74afe666a558c1e18109204df0a0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	0cc7d4ede78c40918f18f2a409fab83fbce74afe666a558c1e18109204df0a0c
SHA3-384 hash:	d747b2c290104fb4a69462316c57a2b8e8d04a276ac6f07d78b310d32740930751cf565fa1eca8f55672561f09997258
SHA1 hash:	4ceca2331804ddcbbba679c2cdcbe06612fdfb49
MD5 hash:	542927e1c1854cfedc91a310b35a5e81
humanhash:	fix-quebec-edward-happy
File name:	542927e1c1854cfedc91a310b35a5e81.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	224'256 bytes
First seen:	2021-06-08 05:50:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep	6144:cRlW3Pg4AfRhkH/GQFX0ZYu26C7SHBwzcILA:cRlYPgVLkH/Fie79zcILA
Threatray	253 similar samples on MalwareBazaar
TLSH	4A24E0B6F321F4A4DA055672D96611633D71F0179BB02ACA8E53A317EF29ABC07A13D0
Reporter	abuse_ch
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

509

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cobaltstrike_shellcode.exe

Verdict:

Malicious activity

Analysis date:

2021-06-04 13:46:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9c2547f4-af50-4d39-b083-8e483c6fa4a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/165129/

Detection(s):

SecuriteInfo.com.Crypt5.BLLV.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/798482

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0cc7d4ede78c40918f18f2a409fab83fbce74afe666a558c1e18109204df0a0c/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-06-04 18:51:00 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=btd5j3phrrajddyy6ksat6vyh66oosx6mzvflda6daijebg7biga._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

064924bf49bd1809d90df0169eb6e354ce8f5b88100bb39b89460c480121fbeb

CobaltStrike

2df05a70d3ce646285a0f888df15064b4e73034b67e06d9a4f4da680ed62e926

CobaltStrike

3f9cf521bf11dfe1a5b6baebde88f8eaac8e851ed8bcf220109d081b4a3f0b6f

CobaltStrike

7f139e55e24e25c6544a78d48a04400430a3431830e694ee0946d90075ec2a9c

CobaltStrike

947357e07af23779c44ed6442925ce67403dcc30fd76705f92faf123fb7e0213

CobaltStrike

9bca97c3be5d93a9d10b1f1ed2a22db889e866e0ae5046ca7079c5c92eb09982

CobaltStrike

be96bc38c87f74d973cf9375370f42e5f9dc854d52e413dac6bc6bacc2a16a63

CobaltStrike

c7a9310c100613e33934b5a510ab826a1a776386bb73540d346b70f37ed0a2a4

CobaltStrike

cf9f6a9389651599d4dd42b160643841cc1602b4dc4065ce4fbceaec0d8656d1

CobaltStrike

+ 243 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1580103814 backdoor trojan

Link:

https://tria.ge/reports/210608-gbzvygca1x/

Behaviour

Modifies system certificate store

Cobaltstrike

Malware Config

C2 Extraction:

http://cdnforest.com:443/tab_shop_active.js

Unpacked files

SH256 hash:

bfa75cfbf360f2b25af436e93c084fc9e8b491ba548d29801c2667bad75f7e88

MD5 hash:

0ef6f02d2b3d17cbaf5d115c38861ae2

SHA1 hash:

f7ff3981f9b1809040c043466c4906852b7ee6ad

Link:

https://www.unpac.me/results/6bcb8241-6497-48eb-9671-80cff094267a/

SH256 hash:

0cc7d4ede78c40918f18f2a409fab83fbce74afe666a558c1e18109204df0a0c

MD5 hash:

542927e1c1854cfedc91a310b35a5e81

SHA1 hash:

4ceca2331804ddcbbba679c2cdcbe06612fdfb49

Link:

https://www.unpac.me/results/6bcb8241-6497-48eb-9671-80cff094267a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0cc7d4ede78c40918f18f2a409fab83fbce74afe666a558c1e18109204df0a0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DarkHydrus_Jul18_5 Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in malware samples in APT report in DarkHydrus
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	enzo
Description:	Cobalt Strike Beacon Payload

Rule name:	CS_beacon Create hunting rule
Author:	Etienne Maynier tek@randhome.io

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/165129/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample