MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a2edba07e82b994bae95816fd2b122c53af573ec88224434e18a4b4650aca7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a2edba07e82b994bae95816fd2b122c53af573ec88224434e18a4b4650aca7e
SHA3-384 hash: fc650f997b8302e1736f1beb0e0c45a9e911c28a4a8eb7a141766a67b9a5bbdd9f80831337497c0234df5780a86a5be6
SHA1 hash: 6ebe6f704c10f0853d788ac36186313a8c2af5f1
MD5 hash: c3f08d24b043938521e28c2eb82538ae
humanhash: pennsylvania-william-red-nitrogen
File name:c3f08d24b043938521e28c2eb82538ae
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'229'064 bytes
First seen:2022-02-05 01:41:16 UTC
Last seen:2022-02-05 03:38:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 88ac4bb6aad6785fd60ce5a52cd294f3 (1 x CobaltStrike)
ssdeep 24576:0oLcm5wuOO0/BlEQUP+2C9teg06aiYEh4SdkYQvHRn5bvVt6F:DLYKS2CbegvaiYEh4CkYQvHRn5bvVt6F
Threatray 1'535 similar samples on MalwareBazaar
TLSH T1B7457C85B687BDF6C846473404E253256F76F0409336DB3B3A2CFE380B5BE949E62A15
Reporter zbetcheckin
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
658
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c3f08d24b043938521e28c2eb82538ae
Verdict:
No threats detected
Analysis date:
2022-02-05 01:45:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a4f8be4-5db0-49bc-ad34-725726980cd1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/233478/
Detection(s):
SecuriteInfo.com.Variant.Bulz.345399.16411.12503.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6022/overview
Behaviour
MalwareBazaar
CallSleep
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f190ca5-8825-4b52-98c9-5efcf2bfb560
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934449
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Early bird code injection technique detected
Found API chain indicative of debugger detection
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 03:16:42 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
1196cd7aca5d5576e3d142339e6d7fd9325f4210c6ae196065d766a1468da08c
CobaltStrike
2a2edba07e82b994bae95816fd2b122c53af573ec88224434e18a4b4650aca7e
CobaltStrike
2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c
CobaltStrike
83653a93fc7d8cba1b6d9bcc7650a10b1b7f0c10ab2b1c112f9d1b7d37333051
CobaltStrike
9062e1a48d6531e8022521aebcecbe7913281c1dc282f3230c280f72cf5fca49
CobaltStrike
954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e
CobaltStrike
971c693bc67cf7b4b9655282b815bc1ba10ee937f1736ba1ef5fdb7aea392f6c
CobaltStrike
9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545
CobaltStrike
d1d0c9d1ee7b800d491c9fb3fc94b93e5c59d903a4debb092846c46481077ae0
CobaltStrike
ea27ef027a10c66b256aceb6e3c4a970d7076b3d3571885ab8e2f2a19c21aa97
CobaltStrike
+ 1'525 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor suricata trojan
Link:
https://tria.ge/reports/220205-b4n6zagafj/
Behaviour
Suspicious use of WriteProcessMemory
Cobaltstrike
suricata: ET MALWARE Cobalt Strike Beacon Activity (GET)
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
Unpacked files
SH256 hash:
2a2edba07e82b994bae95816fd2b122c53af573ec88224434e18a4b4650aca7e
MD5 hash:
c3f08d24b043938521e28c2eb82538ae
SHA1 hash:
6ebe6f704c10f0853d788ac36186313a8c2af5f1
Link:
https://www.unpac.me/results/8f9aa95c-17c1-434c-85a5-0b6e9b353657/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a2edba07e82b994bae95816fd2b122c53af573ec88224434e18a4b4650aca7e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 2a2edba07e82b994bae95816fd2b122c53af573ec88224434e18a4b4650aca7e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2029725/
Cape
Cape
https://www.capesandbox.com/analysis/233478/

Comments


Avatar
zbet commented on 2022-02-05 01:41:18 UTC

url : hxxp://101.32.15.46:8000/360.exe