MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14
SHA3-384 hash: d4c82c79b430f99ad09512985d654aaa184ccfdfd6f90a47c0a8dbe163be183db04bd663f0dabf827d78eede7d3a8011
SHA1 hash: 295bd268aa58c10a0f9bdf17ef167552bacc396e
MD5 hash: de343afd74fa222579d304fafda2ad9e
humanhash: orange-hot-spaghetti-golf
File name:xc.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:229'376 bytes
First seen:2022-12-24 06:45:51 UTC
Last seen:2022-12-26 14:14:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4bfb1481b8c8674ea2f0bf493819ad8 (2 x CobaltStrike)
ssdeep 3072:fSXvMGQmX7P7Uw82rsO/x+Ep4WWp9npfQkpp3knadgRQ7Vn6xjvfvr0H:fSfMmrgwH/vQLnS6pEaexrg
Threatray 1'442 similar samples on MalwareBazaar
TLSH T1EE248C11B2A048F1DDB3A13A8A53272AFAB53D0443249BCF13A04756EF6B7D1A93F751
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Kostastsale
Tags:Cobalt Strike dll exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
cobaltstrike
Create hunting rule
ID:
1
File name:
xc.dll
Verdict:
Malicious activity
Analysis date:
2022-12-24 06:47:00 UTC
Tags:
cobaltstrike
Link:
https://app.any.run/tasks/6ad1f092-15cf-42b4-a1ae-8d9abb74b4cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Lazy.252405.5951.23683.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Launching the default Windows debugger (dwwin.exe)
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63a6a036a5802d05b3deb166/reports/76603ccc-7050-4b8a-af71-21f13aa36851/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fd50eea-eeae-4671-842c-153366ecd5e9
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1140337
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 773067 Sample: xc.dll.exe Startdate: 24/12/2022 Architecture: WINDOWS Score: 84 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 2 other signatures 2->44 8 loaddll64.exe 7 2->8         started        process3 dnsIp4 30 vosuxizen.com 8->30 11 regsvr32.exe 6 8->11         started        15 rundll32.exe 6 8->15         started        17 cmd.exe 1 8->17         started        19 2 other processes 8->19 process5 dnsIp6 34 vosuxizen.com 11->34 46 System process connects to network (likely due to code injection or exploit) 11->46 21 WerFault.exe 17 9 11->21         started        36 vosuxizen.com 15->36 23 WerFault.exe 9 15->23         started        25 rundll32.exe 6 17->25         started        signatures7 process8 dnsIp9 32 vosuxizen.com 23.106.223.200, 443, 49719, 49720 LEASEWEB-USA-SEA-10US United States 25->32 28 WerFault.exe 21 9 25->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2022-12-23 01:27:36 UTC
File Type:
PE+ (Dll)
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gw6mnykbb45x56ktahmzn5lrhzubd7ajxghn5ni5airmxyezzyka._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
08ec3f13e8637a08dd763af6ccb46ff8516bc46efaacb1e5f052ada634a90c0e
CobaltStrike
5efe564a2c779adebab8e664d524a0cfd026c8ab3a57527bd1d821245ffc2a8c
CobaltStrike
74ace0111970edf84a676c96b0c8180b2f2f6bc0a3f8e7bd1db4c9505e7e1d17
CobaltStrike
9122991758a93293f0ec4db1de3a04927f583b08751a553d235d5fdc1b254bd4
CobaltStrike
936861ea91e37611908b21310d461eb7435f2912e9a7576cee22ce22342d659b
CobaltStrike
93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e
CobaltStrike
99be525b748064edaa30caa911b1122187139c463ad29068c3ee5cf69eed774e
CobaltStrike
a7a0025d77b576bcdaf8b05df362e53a748b64b51dd5ec5d20cf289a38e38d56
CobaltStrike
be9ae4f35c971037fd5762105e3f5bb6657fc27e37a42663878fc954ddfaeff5
CobaltStrike
+ 1'432 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/221224-hjm7hach31/
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://vosuxizen.com:443/d_config.css
Unpacked files
SH256 hash:
35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14
MD5 hash:
de343afd74fa222579d304fafda2ad9e
SHA1 hash:
295bd268aa58c10a0f9bdf17ef167552bacc396e
Link:
https://www.unpac.me/results/c4342c4a-8102-4d6c-a1e3-8a50a21af538/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35bcc6e1410f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14

(this sample)

  
Link
https://github.com/tsale/TA_tooling/blob/main/C2_Infra-Dec2322.txt
  
Delivery method
Distributed via web download

Comments