MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1928e9c98f5e26755861ed67d7061b18e755db0c29f853890086f06237a52820. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 9

Intelligence 9 IOCs YARA 16 File information Comments

SHA256 hash:	1928e9c98f5e26755861ed67d7061b18e755db0c29f853890086f06237a52820
SHA3-384 hash:	ec53b96616d518743514e37f7520e1033fe56eb82cd4a94507eb67cb4b25557bd0ffe14cfb845b45fb09d0bd1fec9a5f
SHA1 hash:	245613db8927c03e0138fbdd55199597446a8684
MD5 hash:	b9280b89ba7760449eadd05983a32217
humanhash:	moon-idaho-jupiter-missouri
File name:	1928e9c98f5e26755861ed67d7061b18e755db0c29f853890086f06237a52820
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	212'480 bytes
First seen:	2020-10-24 21:21:15 UTC
Last seen:	2020-10-25 08:06:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	199c3b2f92d728912bb206ea499d43f1 (179 x CobaltStrike)
ssdeep	3072:KlC60GeD6N9Za5Yp6zPC952DmKX0tDV2/jqBkLcP6j5Ub5n:KNxfaWUzPWEKKX0pURLcyjW
Threatray	102 similar samples on MalwareBazaar
TLSH	CA249D9131C1C432D15A0474A64FC77E8FBDB8F415719887BFA80AA99E762E3D72A307
Reporter	seifreed
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/75295/

Detection(s):

Win.Trojan.CobaltStrike-8091534-0

Win.Tool.CobaltStrike-6336852-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/508781

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1928e9c98f5e26755861ed67d7061b18e755db0c29f853890086f06237a52820/

Threat name:

Win32.PUA.CobaltStrikeBeacon

Status:

Malicious

First seen:

2020-10-23 10:50:26 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=deuotsmplythkwdb5vt5obq3ddtvlwymfh4fhciaq3ygen5ffaqa._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

196320968528e108ef517668d879d308e2425e0f2abafc554cb6639bc38c23fb

CobaltStrike

39dca3fbd2f4684b95c0e46c833dcf6d95a0d7b53ede8e5a0a62a1d04bc37e0b

CobaltStrike

4b459c85c8425e368325d8844148e6a058d350374eb721a3da26c4e85ba26973

CobaltStrike

8a148932d87847341a5cc3e93ba144ea1332229a4334a951449b7458169533bc

CobaltStrike

8c195ec63793d4d4927cb5e06cd2c5771cedab32baecd2097454e3709e2748cc

CobaltStrike

a3b71dfc0235bd33cd7d9d05db130acc2d4d4852522279aab9ceb5ea9f3d0ca9

CobaltStrike

ba0f8dbc98176e58b11bded685e165885c3131c17ce1a8361846fd1a88f69c65

CobaltStrike

d6ad7fadcb2167a24e36bb0f9e668c95183c3c224bef5775bc06c5bc71b02616

CobaltStrike

f0bcf90c8a887b662d9413e62ff453dea774e520df15a6651eacad17eda434ac

CobaltStrike

+ 92 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201024-5l343g6bqn/

Behaviour

Suspicious use of WriteProcessMemory

Malware Config

C2 Extraction:

http://47.94.136.27:23333/push

Unpacked files

SH256 hash:

1928e9c98f5e26755861ed67d7061b18e755db0c29f853890086f06237a52820

MD5 hash:

b9280b89ba7760449eadd05983a32217

SHA1 hash:

245613db8927c03e0138fbdd55199597446a8684

Detections:

win_cobalt_strike_auto

Link:

https://www.unpac.me/results/183a97ef-17ed-443d-83c7-bcbcc668a367/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Carbanak

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1928e9c98f5e26755861ed67d7061b18e755db0c29f853890086f06237a52820

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_CobaltStrike_Beacon_Indicator Create hunting rule
Author:	JPCERT
Description:	Detects CobaltStrike beacons
Reference:	https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py

Rule name:	Beacon_K5om Create hunting rule
Author:	Florian Roth
Description:	Detects Meterpreter Beacon - file K5om.dll
Reference:	https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html

Rule name:	CobaltStrike Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect CobaltStrike Beacon in memory
Reference:	https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html

Rule name:	CobaltStrike_C2_Encoded_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CobaltStrike_Sleep_Decoder_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike sleep_mask decoder

Rule name:	CobaltStrike_Unmodifed_Beacon Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects unmodified CobaltStrike beacon DLL

Rule name:	crime_win32_csbeacon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Cobalt Strike loader
Reference:	https://twitter.com/VK_Intel/status/1239632822358474753

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	Leviathan_CobaltStrike_Sample_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Cobalt Strike sample from Leviathan report
Reference:	https://goo.gl/MZ7dRg

Rule name:	Malware_QA_vqgk Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file vqgk.dll
Reference:	VT Research QA

Rule name:	MALW_cobaltrike Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect CobaltStrike beacon

Rule name:	PowerShell_Susp_Parameter_Combo Create hunting rule
Author:	Florian Roth
Description:	Detects PowerShell invocation with suspicious parameters
Reference:	https://goo.gl/uAic1X

Rule name:	ReflectiveLoader Create hunting rule
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	WiltedTulip_ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:	http://www.clearskysec.com/tulip

Rule name:	win_cobalt_strike_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/75295/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample