MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39bcc68556caf5f83fc73d53b691de3d1017d2add92da447d357bac2f86cc7d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 14

Intelligence 14 IOCs YARA 15 File information Comments

SHA256 hash:	39bcc68556caf5f83fc73d53b691de3d1017d2add92da447d357bac2f86cc7d0
SHA3-384 hash:	07363342c3364d993ad898c9b63156041ae6b029a80012bf2c26799be4a5d5378da2774a300eb803af6cbbe70eff6d7d
SHA1 hash:	33926de0c5ea86b058fcd33ea5530bd2c1c930be
MD5 hash:	68575d0fe4ddf2a4773888df3ab1b5e4
humanhash:	grey-gee-kansas-magazine
File name:	68575d0fe4ddf2a4773888df3ab1b5e4
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	46'592 bytes
First seen:	2022-05-25 11:05:09 UTC
Last seen:	2022-05-25 11:58:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f42ca71ad90e2ef189b00a6953453ce2 (1 x CobaltStrike)
ssdeep	384:Hp3+IXKc206uHhcZtZfWtO/LvdgbTYxwp8Yv5ZM3rITMM639jsiy8z3Ca9uzQ08T:Hp3V36uWmO/LVgTkYxZMJ39j0Puuyb3
Threatray	1'922 similar samples on MalwareBazaar
TLSH	T13423F785762480B1F28791FC9152BD66A13B3CEF8791748F5384365A2FB36E2BA35703
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	3078c0ccccc0d8c0 (1 x CobaltStrike)
Reporter	Anonymous
Tags:	CobaltStrike exe NEED

Intelligence

File Origin

# of uploads :

# of downloads :

702

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

68575d0fe4ddf2a4773888df3ab1b5e4

Verdict:

No threats detected

Analysis date:

2022-05-25 11:06:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cfb4d7a9-ac27-4ef1-9216-53b949f8fb04

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/274477/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Searching for synchronization primitives

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/20300/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/628e0d733ec49f83a6ca5023/reports/c38a4247-633a-45c2-8847-c102cdff4362/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/339f9d5c-4fb2-4b55-805e-ad946e5c0171

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1001503

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes memory attributes in foreign processes to executable or writable

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Malicious sample detected (through community Yara rule)

Writes to foreign memory regions

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/39bcc68556caf5f83fc73d53b691de3d1017d2add92da447d357bac2f86cc7d0/

Threat name:

Win64.Backdoor.CobaltStrikeBeacon

Status:

Malicious

First seen:

2022-05-25 11:19:46 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hg6mnbkwzl27qp6hhvj3neo6huibpuvn3ew2ir6tk65mf6dmy7ia._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

080c2647fb26ac8576014a21591465eba5b0ee03475f70e95bc3a4caa8d3642e

CobaltStrike

7920fb3873012f1abef8c2abfb905e53317595874985f24b23fb318b54b1e243

CobaltStrike

8344424b2ab65b90171d02df7f9f8625308284c4b25e0e489c005f9c164784c2

CobaltStrike

87dca59ec3d55bcb1b05da564e5ce0a164ab633f1c46a18a97f72a30efff7388

CobaltStrike

9a7d2b2c96ee9b7b0ddc1665988d935a719f04cdb2b2dd331ec36aa4f6597506

CobaltStrike

d3f1d658545c3726233e696e3cea4d66d9a515d60f551ea01abfda00552e17da

CobaltStrike

d44d718c247b1664861f987b1725314f152e43e7c1da80b163f812e1b7c3fdb7

CobaltStrike

+ 1'912 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor suricata trojan

Link:

https://tria.ge/reports/220525-m7ebqaaad4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Cobaltstrike

suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1

Malware Config

C2 Extraction:

http://192.168.1.5:8011/search/

Unpacked files

SH256 hash:

39bcc68556caf5f83fc73d53b691de3d1017d2add92da447d357bac2f86cc7d0

MD5 hash:

68575d0fe4ddf2a4773888df3ab1b5e4

SHA1 hash:

33926de0c5ea86b058fcd33ea5530bd2c1c930be

Link:

https://www.unpac.me/results/da5ee91c-0751-452e-9928-7e66c3ec74c1/

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/39bcc68556ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39bcc68556caf5f83fc73d53b691de3d1017d2add92da447d357bac2f86cc7d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_Beacon_x64 Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	Cobaltbaltstrike_Payload_Encoded Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	ditekshen, enzo & Elastic
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_C2_Encoded_XOR_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CobaltStrike_MZ_Launcher Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike MZ header ReflectiveLoader launcher

Rule name:	CobaltStrike_Sleep_Decoder_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike sleep_mask decoder

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	malware_CobaltStrike_v3v4 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect CobaltStrike Beacon in memory
Reference:	https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html

Rule name:	MALW_cobaltrike Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Rule to detect CobaltStrike beacon
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	win_cobalt_strike_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.cobalt_strike.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274477/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample