MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2
SHA3-384 hash: 203e45a7ae7aae96eff56ee6e730cb518f5dc753c81dd13f037920521c171d89ba46a840cc5338d5fdedc7dd43ce606b
SHA1 hash: c81611ce66b4e5ba6e8100b918d493baa69e8fc5
MD5 hash: f9949ce51aaeb11fd62d25daa0260a2e
humanhash: video-alanine-triple-social
File name:f9949ce51aaeb11fd62d25daa0260a2e.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'377'792 bytes
First seen:2023-02-07 16:47:03 UTC
Last seen:2023-02-07 18:40:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 36 x Vidar)
ssdeep 24576:M2WGY5iSuvZHV3AJmP7V7ehg5pAABBuLz1:pWGYAXxHVQYjVag5p9zuLz1
Threatray 2'256 similar samples on MalwareBazaar
TLSH T16E553947B8D081B6D4AA9232896592A17B30BC491F3163D33B50BBFE2F7A7D45E35318
gimphash 4cbe7d8dfb7684b8c8f2d1c4f1fa54a2797e18ea140ca7b52e9258afd9f6f82f
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e8dcd5a33854c4e8 (1 x CobaltStrike)
Reporter JaffaCakes118
Tags:Cobalt Strike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
cobaltstrike
Create hunting rule
ID:
1
File name:
f9949ce51aaeb11fd62d25daa0260a2e.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 16:52:55 UTC
Tags:
cobaltstrike
Link:
https://app.any.run/tasks/67e93260-402a-4253-a88b-741885ac553b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/361455/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.17525.27972.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/66147/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
golang greyware
Link:
https://www.filescan.io/uploads/63e2808f447edb203a0318fd/reports/7088e2fd-96d7-4d31-a0f8-1bf1d30cb33c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/050d1f71-efa3-49eb-bd39-7f602e3ea37f
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1168395
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Suspicious
First seen:
2023-02-07 15:07:06 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3nn23bp2nztywrex52oionkycnwxhohsij74nbyoak4nt4vv6ra._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
1a71685e9d69c3e7619c5f20dbc3bbd693efb1db2370f5127d7f5c81df2baf3b
CobaltStrike
25177f86963cd89171a6f06bcd0559806f7c1fa1cff3a52eee89ad38c024b819
CobaltStrike
35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14
CobaltStrike
7c8621cc3827c1ffbd39ebc8b24e430e2e6aa5bd7b148edc110be9b2914799dc
CobaltStrike
91aaaa1b0672caace5865b8c42da45a0efafe4dc373d9e1999e9411e31be17d1
CobaltStrike
a0410b34f9a1161434b2df05470e2bc5d917ad44e419fe9d6a5008e3e3898b47
CobaltStrike
cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8
CobaltStrike
d47f062cb7cf40ed6fefc8bb54ace2c597bf15095703974eb5567c73c10ad655
CobaltStrike
+ 2'246 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:100000 backdoor trojan
Link:
https://tria.ge/reports/230207-vaj5psfh5y/
Behaviour
Modifies system certificate store
Cobaltstrike
Malware Config
C2 Extraction:
http://service-4xrjz1wg-1253795072.gz.apigw.tencentcs.com:443/api/auth/v1/log
Unpacked files
SH256 hash:
36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2
MD5 hash:
f9949ce51aaeb11fd62d25daa0260a2e
SHA1 hash:
c81611ce66b4e5ba6e8100b918d493baa69e8fc5
Link:
https://www.unpac.me/results/9dfbf487-b3fc-4af4-9afe-08169b2953f9/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36dadd6c2fd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/361455/

Comments