MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26b4f70f421cd52e5c567ff123495bed2b952f63348059bde71780fd935e846f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	26b4f70f421cd52e5c567ff123495bed2b952f63348059bde71780fd935e846f
SHA3-384 hash:	d06fc09ea419a66b984dbedc24ed97bd6fb1b8cf14dc4762c891ad742e2ba9810bd5b769bc5b5313e508b9345907408a
SHA1 hash:	85f6142d690b81ed0c20e2e3e693dd7948d2f262
MD5 hash:	e948c3dddd10eff6a34a78d3a2e1997c
humanhash:	south-hamper-ohio-papa
File name:	2022-03-01-Cobalt-Strike.EXE
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	729'600 bytes
First seen:	2022-03-02 03:37:03 UTC
Last seen:	2022-03-02 05:47:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	70099f79f6acaa44f9a753b28f8d2f2e (1 x CobaltStrike)
ssdeep	12288:X0SE03M3ck/cl3m2FOGxlxgVMyx9gyfgC9pLGTmN14imSv3ZMDv:XB3c0A2FOGPxGMyngyfgC9pI8GiDv
TLSH	T1FAF4AE4AFB7440F5D136D579C5638B86D772BCA84B70838F12A8A77E2F332A15D2A311
File icon (PE):
dhash icon	102636b4b4343434 (300 x Heodo, 1 x CobaltStrike)
Reporter	JAMESWT_WT
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

624

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2022-03-01-Emotet-epoch4-and-Cobalt-Strike-malware.zip

Verdict:

Malicious activity

Analysis date:

2022-03-02 04:01:27 UTC

Tags:

loader

Link:

https://app.any.run/tasks/74069805-a619-42b7-9b09-7aa859df2233

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/246101/

Detection(s):

SecuriteInfo.com.generic.ml.803.10191.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

DNS request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7823/overview

Behaviour

MalwareBazaar

CheckScreenResolution

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger packed

Link:

https://www.filescan.io/uploads/621ee6610cd58dbd925f9cf0/reports/4474d04b-c5ba-4ddc-8baf-9d4156b82cd6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/94acbb70-dfb8-4ed8-9796-b9d479a11880

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/948805

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/26b4f70f421cd52e5c567ff123495bed2b952f63348059bde71780fd935e846f/

Threat name:

Win64.Trojan.CobaltStrike

Status:

Malicious

First seen:

2022-03-02 02:24:46 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor suricata trojan

Link:

https://tria.ge/reports/220302-d6jelseccn/

Behaviour

Suspicious use of SetWindowsHookEx

Cobaltstrike

suricata: ET MALWARE Cobalt Strike Beacon Activity (GET)

suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2

suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

Malware Config

C2 Extraction:

http://klycnmik.com:80/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

26b4f70f421cd52e5c567ff123495bed2b952f63348059bde71780fd935e846f

MD5 hash:

e948c3dddd10eff6a34a78d3a2e1997c

SHA1 hash:

85f6142d690b81ed0c20e2e3e693dd7948d2f262

Link:

https://www.unpac.me/results/0472575b-53da-4f60-b866-9a88732ac9b4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/26b4f70f421cd52e5c567ff123495bed2b952f63348059bde71780fd935e846f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.malware-traffic-analysis.net/2022/03/01/index.html

Cape

https://www.capesandbox.com/analysis/246101/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample