MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32c5cffcd7432c4122fb0aeca0379bb354dfff9c17dc10f20e992cd520c7f037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32c5cffcd7432c4122fb0aeca0379bb354dfff9c17dc10f20e992cd520c7f037
SHA3-384 hash: 82bf424d20d27f50165484e12312193927386f900a9208eb388746f1e8dfef7a522496acfe28fc687cf2a2b12b15474a
SHA1 hash: d8857e54337308ef30d47e5b162c6b96e57cdba9
MD5 hash: 9fc331785c2fb5b82c657c2fed719515
humanhash: eleven-magnesium-september-foxtrot
File name:9fc331785c2fb5b82c657c2fed719515.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:222'208 bytes
First seen:2021-09-01 18:22:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep 3072:l4sFCsPjwOO0CnKoMmEKIiF1l3lzGrqOXGgF1spyj91PGVQrriEvg8+zig+u:l4sUs7jOgmE1ixsT2OGpyJVvgHzz+
Threatray 514 similar samples on MalwareBazaar
TLSH T12624E07AD304E9E1C4B481BAC150FAB52F216107B8B7A9E2D4D864398FC47AF790FB45
Reporter abuse_ch
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
571
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cobaltstrike_shellcode.exe
Verdict:
No threats detected
Analysis date:
2021-08-28 12:11:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b9d8e0bf-c135-4821-9def-23197c8d8dba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184546/
Detection(s):
SecuriteInfo.com.Crypt5.BLLV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Sending a UDP request
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f831749-444e-4da4-8055-0c9b1cd89104
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/843588
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/32c5cffcd7432c4122fb0aeca0379bb354dfff9c17dc10f20e992cd520c7f037/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 18:51:01 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=glc477gximwecix3blwkan43wnkn7744c7obb4qotewnkigh6a3q._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
092fed4da898c2cd0398f75620a430dd4188823384bf8409bef947b2c6aeaf27
CobaltStrike
287aae0d0192654d709742977dfb6219856096d8b05cf7592b2adfd96bb2d976
CobaltStrike
7ae629d6b56914cfb07f8fdffc3ee43785dc99990351985156106019771fa094
CobaltStrike
91d4281d998f532037fe66469d75b706cec2116769a85f5ab3564d3caf74f5bf
CobaltStrike
c688ae9267e5e9e757ec29014373a66f6b008c2ab412becbac9e3c1aae068c79
CobaltStrike
c934a760a669e7fa83b6d80720f78f5eba20c4f5008043faacca8963373f8d00
CobaltStrike
e4ca37b939f9ca60aab3b68d49169ee93e46548b76dfb31eeb43d4161fd3dc1a
CobaltStrike
+ 504 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:1711276032 backdoor suricata trojan
Link:
https://tria.ge/reports/210901-cbmzef3eds/
Behaviour
Modifies system certificate store
Cobaltstrike
suricata: ET MALWARE Cobalt Strike Malleable C2 (Microsoft Update GET)
Malware Config
C2 Extraction:
http://118.31.60.151:443/c/msdownload/update/others/2016/12/29136388_
Unpacked files
SH256 hash:
8949121ae8b68fb74baa191c24f829e2d0ab02da46a05d31929db35ea2c30380
MD5 hash:
5221a5112efd14ea0866c08b4ea6ab78
SHA1 hash:
b3d51cadc90ffa3be875cc851de023aff3aa9903
Link:
https://www.unpac.me/results/80defcaf-2d01-432e-bd62-7e90c64a2c4f/
SH256 hash:
034202f7317645ffd0e265a0eb779ecbfe9b15d3c0fccee8312a1da51676896d
MD5 hash:
58e2a66cd7d68371dc1e309d1d4c0c7c
SHA1 hash:
28278cb8c81e2864f1ad44a6fc7a2d256f785cde
Link:
https://www.unpac.me/results/80defcaf-2d01-432e-bd62-7e90c64a2c4f/
SH256 hash:
32c5cffcd7432c4122fb0aeca0379bb354dfff9c17dc10f20e992cd520c7f037
MD5 hash:
9fc331785c2fb5b82c657c2fed719515
SHA1 hash:
d8857e54337308ef30d47e5b162c6b96e57cdba9
Link:
https://www.unpac.me/results/80defcaf-2d01-432e-bd62-7e90c64a2c4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32c5cffcd7432c4122fb0aeca0379bb354dfff9c17dc10f20e992cd520c7f037

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobaltbaltstrike_Beacon_XORed_x86
Create hunting rule
Author:Avast Threat Intel Team
Description:Detects CobaltStrike payloads
Reference:https://github.com/avast/ioc
Rule name:Cobaltbaltstrike_strike_Payload_XORed
Create hunting rule
Author:Avast Threat Intel Team
Description:Detects CobaltStrike payloads
Reference:https://github.com/avast/ioc
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5
Create hunting rule
Author:Florian Roth
Description:Detects strings found in CobaltStrike shellcode
Reference:https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184546/

Comments