MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22b125d83e7497491777b1d35306054023475e4efb9ca67f15c16177f626c0e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22b125d83e7497491777b1d35306054023475e4efb9ca67f15c16177f626c0e3
SHA3-384 hash: 0113002f69fc6213167fd4afc86f27e23d336172d947fcc29baffd439fa24b24e0a9f103a5c0b222db607e8af82b0b9b
SHA1 hash: 34352833c714066605a27cfbe2e7e544889e7fe9
MD5 hash: a64693dc4ce57f1c8ed8c7f1a0beca1d
humanhash: wyoming-batman-skylark-delaware
File name:a64693dc4ce57f1c8ed8c7f1a0beca1d.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:225'792 bytes
First seen:2021-06-25 09:20:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep 6144:ugtjuVftOrL/7786Ow0AIWYD/G+EDxSyeCHK8GN:uwYlOrD7Q6NdXYD/G/j3GN
Threatray 320 similar samples on MalwareBazaar
TLSH 6E24D0345DBB9CF5D91E0A30CB9816ACDE23063B7A3F89118A53E05564CFCAC98F7621
Reporter abuse_ch
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
525
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cobaltstrike_shellcode.exe
Verdict:
No threats detected
Analysis date:
2021-06-22 13:55:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed34f882-b5c6-4e65-859f-b7e6a749e7b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168286/
Detection(s):
SecuriteInfo.com.Crypt5.BLLV.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8eaca052-e303-40f7-b2bc-7107314b66b0
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/808027
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/22b125d83e7497491777b1d35306054023475e4efb9ca67f15c16177f626c0e3/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 00:56:22 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekyslwb6oslusf3xwhjvgbqfiaruoxso7ookm7yvyfqxp5rgydrq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0cc7d4ede78c40918f18f2a409fab83fbce74afe666a558c1e18109204df0a0c
CobaltStrike
0e30a27d44484b9baa56e7b6050581e3edc3bd1b426057c85824d0cac493a3f1
CobaltStrike
3eeac52f9036116d189ca4aa82022efc7a764abe9d559129e6b3720cff203fd9
CobaltStrike
5724f81b8cc1a9a3330cb22020e393c854471f605b422b99a2fd5dda3d32cf80
CobaltStrike
8f7b9a377a14260d8bdcc6e18e749013a0c2c09a60d46fa026d77f6d92b7b801
CobaltStrike
be106bc807b68d8d2bea83f7fbd526675f127b2f234d6c31e2932bb5a5d1aa34
CobaltStrike
ec80dafae2b435962d141d4137ba9e9b84d36c5933828c490d113a88b9c4d2a5
CobaltStrike
f00a924abf7bcb53289911d36aa16af785305d09a5a625183524ef0e591d9fff
CobaltStrike
f4ca63aeb4e3246c5d923942497d650bc3920c9fbc78a330ecf9d7db67e0cb8f
CobaltStrike
fad4aa474affa78e820e731061ed7614feba095422465f0ca4c05a1f3506beb8
CobaltStrike
+ 310 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:773413790 backdoor trojan
Link:
https://tria.ge/reports/210625-y3kfde8t3j/
Behaviour
Modifies system certificate store
Cobaltstrike
Malware Config
C2 Extraction:
http://brosift.com:443/s/58462514417
Unpacked files
SH256 hash:
89e62dc861ad0759a3f33185adebc7b3bf710797c33e4879432ce6802bf4734f
MD5 hash:
71000067fa1c79a6cf10ae628e4cf44e
SHA1 hash:
893c6b05284b8d4b46f4c1673b8adf701164465f
Link:
https://www.unpac.me/results/da1d1b71-3d1c-4aca-8cc1-d3b33982a3b4/
SH256 hash:
c532b76944441c6d2e281d80c4ff92f719a1e816b59dd5be4a9b68cf30100eb9
MD5 hash:
8a8d2788a8578f7d6636447e5e94a3f6
SHA1 hash:
4587c317b90f7fc1776b82681b16b6da94c0cef0
Link:
https://www.unpac.me/results/da1d1b71-3d1c-4aca-8cc1-d3b33982a3b4/
SH256 hash:
22b125d83e7497491777b1d35306054023475e4efb9ca67f15c16177f626c0e3
MD5 hash:
a64693dc4ce57f1c8ed8c7f1a0beca1d
SHA1 hash:
34352833c714066605a27cfbe2e7e544889e7fe9
Link:
https://www.unpac.me/results/da1d1b71-3d1c-4aca-8cc1-d3b33982a3b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22b125d83e7497491777b1d35306054023475e4efb9ca67f15c16177f626c0e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DarkHydrus_Jul18_5
Create hunting rule
Author:Florian Roth
Description:Detects strings found in malware samples in APT report in DarkHydrus
Reference:https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168286/

Comments