MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3da3b7a6ce9f51f3298afc7aa931d3178f57b2d1ce857dbd88675c7386866b7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 10

Intelligence 10 IOCs YARA 12 File information Comments

SHA256 hash:	3da3b7a6ce9f51f3298afc7aa931d3178f57b2d1ce857dbd88675c7386866b7e
SHA3-384 hash:	43c6cb621155f28a5ce8da43e1ab246d0932fe07ad0fd7e167ab22d64e8fd908c652f46d03621c8246f54d4a06846bc4
SHA1 hash:	a8c349fd92f6eb316bb1e3fa8bc9ce60c025da13
MD5 hash:	afaf53de1fceca316ed34804ec5f8264
humanhash:	london-lima-december-stream
File name:	afaf53de1fceca316ed34804ec5f8264.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	1'549'120 bytes
First seen:	2022-05-25 11:06:05 UTC
Last seen:	2022-05-25 11:58:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep	24576:Y8fCLo6qrWU+CnU28NDgDhxBYLyQzD1M25n:Y868xrWU+CMgFx2eQzD1hh
Threatray	350 similar samples on MalwareBazaar
TLSH	T193656B47BC91B0BAD0B9C231CB65A2A17B717494073123CF2B51A7B91F76BD81E78368
gimphash	f4854fab3f1449c7c1dadc75371caf749048ddfbdcd328ce5ec635c0cea0dc26
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	360dashen
Tags:	CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

708

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

afaf53de1fceca316ed34804ec5f8264.exe

Verdict:

No threats detected

Analysis date:

2022-05-25 11:06:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/43814192-069a-412d-8d85-611c688bcc00

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274478/

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/20301/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

golang overlay packed

Link:

https://www.filescan.io/uploads/628e0dd965e338159938fb62/reports/fdd5b9f1-64cd-4c87-8fc7-87db0f967380/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d62a9557-28ef-4458-9016-04782b40d5a9

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1001504

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3da3b7a6ce9f51f3298afc7aa931d3178f57b2d1ce857dbd88675c7386866b7e/

Threat name:

Win64.Backdoor.CobaltStrikeBeacon

Status:

Malicious

First seen:

2022-05-25 11:18:08 UTC

File Type:

PE+ (Exe)

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hwr3pjwot5i7gkmk7r5ksmotc6hvpmwrz2cx3pmim5ohhbugnn7a._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

2825b1fcb91614a08b7c2338e54ee1506915c159bd6a363de7b77c23dd6ea7e0

CobaltStrike

2d6b9e29a2b0c81e5ff46e9913a753128dbc3b944471bf5d89e12cba9c1f536a

CobaltStrike

487424f7ad546f72d0240922d1c6d9800bfcb95d3582eeecbbae0051208b6f89

CobaltStrike

90d67f109ff6992f8021852a647447cbc68a2c6f1271d966eb8675b5de7636ed

CobaltStrike

9304dd6097abd22d8209fe94ecf89b6f373375637089886058b473a346be6d68

CobaltStrike

934c39dceb4e82940e3fa6773fda7fe02c902345ac66cf9ecab9f6a64997c1e1

CobaltStrike

a132c7776fdd1d661a7ca045a8296bfb51d2c4d9fc722fa39612e06dad9a92a9

CobaltStrike

f20d91a10181609a8c7b3d7581f415c76a3a6cb6d4878da84c006403dfc9969c

CobaltStrike

+ 340 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:123456789 backdoor trojan

Link:

https://tria.ge/reports/220525-m7y15aaad7/

Behaviour

Modifies system certificate store

Cobaltstrike

Malware Config

C2 Extraction:

http://service-bv4lng5j-1307188804.sh.apigw.tencentcs.com:443/search

Unpacked files

SH256 hash:

3da3b7a6ce9f51f3298afc7aa931d3178f57b2d1ce857dbd88675c7386866b7e

MD5 hash:

afaf53de1fceca316ed34804ec5f8264

SHA1 hash:

a8c349fd92f6eb316bb1e3fa8bc9ce60c025da13

Link:

https://www.unpac.me/results/3fd47fc1-d6fb-4625-aa88-aead75fed532/

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3da3b7a6ce9f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/3da3b7a6ce9f51f3298afc7aa931d3178f57b2d1ce857dbd88675c7386866b7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_Payload_Encoded Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	ditekshen, enzo & Elastic
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_C2_Encoded_XOR_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CobaltStrike_MZ_Launcher Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike MZ header ReflectiveLoader launcher

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	Trojan_Raw_Generic_4 Create hunting rule
Author:	FireEye
Reference:	https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274478/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample