MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1
SHA3-384 hash: 09d83582db555097413485b9e1c0592c3f8ce7fb059df6b34dbdb18708f7fa7618ecfbb722df9837638f85095a8a7f92
SHA1 hash: 14b1a681fea9c0833f20ecc6ef231dfb7cc62a3d
MD5 hash: f59a8569683d12768cb44c76fac971d8
humanhash: tennis-oscar-helium-eight
File name:1.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:288'256 bytes
First seen:2023-08-20 21:39:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 17b461a082950fc6332228572138b80c (121 x CobaltStrike, 2 x Cobalt Strike)
ssdeep 6144:IC9EyT8nZOdpuRz1KfImnX+rQclABOLeAKDI:t8qUB1Kwmn5clABOJKDI
Threatray 465 similar samples on MalwareBazaar
TLSH T14054AEFBBA9220F3D321B4799ACC07627341D914FB6098A647767851EF5DC236B2F1A0
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter ULTRAFRAUD
Tags:Cobalt Strike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
cobaltstrike
Create hunting rule
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2023-08-20 21:45:27 UTC
Tags:
cobaltstrike backdoor
Link:
https://app.any.run/tasks/f9c3398f-34aa-43a3-8ce3-ebdfbad600fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443857/
Detection(s):
Win.Trojan.CobaltStrike-9044898-1
Create hunting rule

Win.Trojan.CobaltStrike-7899871-1
Create hunting rule

Win.Countermeasure.LoaderWinGeneric-9804845-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e2354c6-5232-4e30-906d-97fcaf618db4
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294197
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2023-06-28 22:50:01 UTC
File Type:
PE+ (Exe)
AV detection:
34 of 38 (89.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2zpckigynmqzatsxabvrbtzit6ynopszqq6433w6ar5xajoloyq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
02b2b13533ce7a1875b458c8843c38cfc2123c504d4058fb1d343761d8fafd67
CobaltStrike
2c593089c490455039542e64826356d85ca09c1e2dba673b5a9aa7814bd17959
CobaltStrike
497f6f7e21dd3e9622c7cd9f96bb5359284cd21c24ea3faa99520397b911a08e
CobaltStrike
53c31c1987e6d560be5ed2cea896b4f7053aa9719ad9e9909bff6cf503b7921d
CobaltStrike
66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa
CobaltStrike
723427427eaa43fbe3aafce325a18201b65141627181484b2d5f4a1632aabdfb
CobaltStrike
8356f3fd326f41fcfbbc17c9fa1a81abe75aae2831b364bf6f6a100a2bebc5c2
CobaltStrike
992f98e70bc5bdfbb7c2c2f3250caf97f831619ac56f0aca3f67dccdb923f94e
CobaltStrike
f092970f8d406e0d01052e36238c3826d8392397802638af877a8d98ee6c9724
CobaltStrike
f6c2a34e3a85581ae83b048b0e66efd5bf6afb895b09ee4c38e61a219c549847
CobaltStrike
+ 455 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:100000000 backdoor trojan
Link:
https://tria.ge/reports/230820-1h7hvsbc4x/
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://45.76.179.63:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1
MD5 hash:
f59a8569683d12768cb44c76fac971d8
SHA1 hash:
14b1a681fea9c0833f20ecc6ef231dfb7cc62a3d
Link:
https://www.unpac.me/results/3460a156-9d05-4bd2-ae8c-b22f8454215d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrike_Resources_Artifact64_v3_14_to_v4_x
Create hunting rule
Author:gssincla@google.com
Description:Cobalt Strike's resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x
Reference:https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse
Rule name:CobaltStrike__Resources_Artifact64_v3_14_to_v4_x
Create hunting rule
Author:gssincla@google.com
Rule name:HKTL_Imphashes_Aug22_1
Create hunting rule
Author:Florian Roth
Description:Detects different hacktools based on their imphash
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/443857/
  
URLhaus
https://urlhaus.abuse.ch/url/2705852/
  
Delivery method
Distributed via web download

Comments