MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bce6eb2839569ba077e24468259aa2678677275c632a0d276dcb14566cc6fcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 3


Intelligence 3 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bce6eb2839569ba077e24468259aa2678677275c632a0d276dcb14566cc6fcf
SHA3-384 hash: e6980054ef48c03b049a74932e5bcf9adc3bfeaf7cafc9ad95b4a5734649a6513b3022fe1f7def9494b08f1b1589b74e
SHA1 hash: 7e1fc00aece9b3d3df4fd44a6fec5fb77058abed
MD5 hash: e87769ace15726fdd508c56f7cb04fcd
humanhash: yankee-four-north-glucose
File name:14.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:141'312 bytes
First seen:2020-04-18 17:16:08 UTC
Last seen:2020-04-18 17:36:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a7a358fc63355e517f96659991cbde9b (2 x CobaltStrike)
ssdeep 1536:ObBa0o5LKv/gEac/a0ME9Mdf5RtwHHPDPCFDh0JdK+28w07K8wma7CJbl:6a7RKR/AFh+PAmJdV28w07K8SSl
Threatray 140 similar samples on MalwareBazaar
TLSH 06D37C2232C4C072D12316318A62D6A68A3AFC725FB0AD9B3BD8177E5F752C1DB16317
Reporter James_inthe_box
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrike
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect CobaltStrike Beacon in memory
Reference:https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
Rule name:CobaltStrike_C2_Encoded_Config_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike C2 encoded profile configuration
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments