MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cobalt Strike


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62
SHA3-384 hash: 0e0fd012bfe52dad2e69da2da0cdb7957f90821823002250a44c1a570a15da21674cbe70b2f0fe86134ecba2156206e0
SHA1 hash: a5ba4c296a88f74e6879dda20f99b6a67987e752
MD5 hash: aec68374e2ecd930e0243d021f4ec0df
humanhash: pip-cola-charlie-double
File name:file
Download: download sample
Signature Cobalt Strike
Create hunting rule
File size:204'288 bytes
First seen:2024-09-20 13:47:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 3072:OAGgiIM8IPUVaZZLIEx950N4EvzMXx4Q836brbOgCbppnZmjjJetAts93YqS1:7aId43l0ex4Q836bObnZmjjJetl93E
Threatray 57 similar samples on MalwareBazaar
TLSH T1CF14121A3BF4E427F7C40F3B1A207AD485C13AE913A02E395F7BC5BB90369AA55C7905
TrID 55.2% (.EXE) UPX compressed Win64 Executable (70117/5/12)
21.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter jstrosch
Tags:Cobalt Strike exe X64


Avatar
jstrosch
Found at hxxp://89.197.154[.]116/Utility.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
US US
Vendor Threat Intelligence
Malware family:
meterpreter
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-20 13:56:47 UTC
Tags:
meterpreter backdoor upx cobaltstrike
Link:
https://app.any.run/tasks/6503e2eb-d204-4a04-aaec-e1c09b73e0df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.Meterpreter.157.6675.26972.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ed7d1df129e67ada901847
Tags:
Network Stealth
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cobalt config-extracted packed packed packed upx
Link:
https://www.filescan.io/uploads/66ed7d1abb9fe02b41b50b06/reports/1ff5d689-3f38-43ec-a722-b738403ff065/overview
Verdict:
Malicious
Labled as:
Dump:Generic.Beacon.Marte.B
Link:
https://www.hybrid-analysis.com/sample/0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d46d0bc3-075c-47ff-855b-e3f47f7ee96c
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1514523
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Score:
78%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2024-09-20 13:48:07 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bu2ckiwonavryk6ygjizwp6a3qcmb5iimizh6m7nr44nps3kpnra._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62
Cobalt Strike
41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d
Cobalt Strike
66fa2281567f268adefb54e91b88bfbd7a08eee6c40ff4aafa31472b8d49a3a6
Cobalt Strike
7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
Cobalt Strike
843ae5d44ada9651a6e8253759a53bafca37cb1b7c09544b1d56370269564c91
Cobalt Strike
9750c40f706b035a90da57ec5632283c54672d21d45acfbceb1fd2370a9c9c23
Cobalt Strike
acc69bb8c8d1b4fe18adf40b4f1fc59b8482004a90d36526761bfc3c5e5c41ea
Cobalt Strike
ee4668d7ca1c84e11f460bf48f9e8f298bd4875862ba17f21e9deabc688b9494
Cobalt Strike
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/240920-q3485azdnk/
Behaviour
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/589982d9-b540-4abc-a276-c69d10ee7362
Unpacked files
SH256 hash:
5f8881fe8045fac6107a4a672c949dc18094499f70be6dc2ec56a5d8ddd01adf
MD5 hash:
f99a04da57bc008fac2585301f12785f
SHA1 hash:
e2a26855f832434cff124f643bd2fec43ea87148
Link:
https://www.unpac.me/results/ee246dbe-08c7-4c11-a67c-3f5c9bb2ebd2/
SH256 hash:
0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62
MD5 hash:
aec68374e2ecd930e0243d021f4ec0df
SHA1 hash:
a5ba4c296a88f74e6879dda20f99b6a67987e752
Link:
https://www.unpac.me/results/ee246dbe-08c7-4c11-a67c-3f5c9bb2ebd2/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d342522ce68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cobalt Strike

Executable exe 0d342522ce682b1c2bd832519b3fc0dc04c0f50862327f33ed8f38d7cb6a7b62

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3088362/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments