MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46725598f6c781f6fd178d6f1bce8c93bb21a6a27d6daebc9ff57878a1a301ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	46725598f6c781f6fd178d6f1bce8c93bb21a6a27d6daebc9ff57878a1a301ad
SHA3-384 hash:	11a576f4941e554680b8d5b3e5be972dc476cab4e441d3e21e5479d32da82ee0b49b74989e71da39008a9b53b8d48c6e
SHA1 hash:	3640bf3d7b6ed87548a2d14d27262e8ef9010f94
MD5 hash:	deeec9c9f04b67a2e6a55eff7cef8aef
humanhash:	salami-seven-nineteen-shade
File name:	Oneninetree.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	408'078 bytes
First seen:	2023-10-05 06:41:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	80ab3e0063a1c634df181b0f077d7bd9 (1 x CobaltStrike)
ssdeep	6144:pRhbr4sIHfKpjJ81ptjWxMNp6ig7Oyj5Rz66rPT/qMzoH/coVR:LN016ieejwt566bT/zoH/rVR
Threatray	217 similar samples on MalwareBazaar
TLSH	T1D094CEC8CE4613A1E6925DB72CB5C6E9C5E07E8F6C308D7F9E3A4134A439B407AA51C7
TrID	32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 20.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	fr0s7_
Tags:	Cobalt Strike CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

347

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.15795.5384.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug cobaltstrike explorer lolbin overlay

Link:

https://www.filescan.io/uploads/651e5abba31588d184f1b11b/reports/2c38031c-e3ae-4c6c-b951-1364e691269c/overview

Verdict:

Malicious

Labled as:

DeepScan:Generic.ShellCode.Marte.2

Link:

https://www.hybrid-analysis.com/sample/46725598f6c781f6fd178d6f1bce8c93bb21a6a27d6daebc9ff57878a1a301ad

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5fab5eb7-982b-4adb-9e67-adaf318feb31

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1319918

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/46725598f6c781f6fd178d6f1bce8c93bb21a6a27d6daebc9ff57878a1a301ad/

Threat name:

Win32.Trojan.Rozena

Status:

Malicious

First seen:

2023-10-04 18:07:11 UTC

File Type:

PE (Exe)

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=izzflghwy6a7n7ixrvxrxtumso5sdjvcpvw25pe76v4hrindagwq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

2a2f594dc53b5be16a0ca9e5feaa1387012c1e5f1d50a0168aa3991c47966a67

CobaltStrike

42b23dafaf9df05efbacd78b76d24668a1c74b8d6fb7695ecf871532a8bd2f4e

CobaltStrike

6fae8cbe4cd8580d3ce09ad24e7a827b1985eda99ce00dcde8d345a2be509e01

CobaltStrike

91bd127fe5f8e96e424dc509a6910edde262142eeadd6ba9f316cb5bde12221e

CobaltStrike

b85e1e79b143c308a707b86b827dd4bacc0d2240a260cf97c3a944f96c96083f

CobaltStrike

d8f94dd6d50eb4dd0528f3784883e20eb8499f5188e596de217039a9dff61e64

CobaltStrike

+ 207 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231005-hgcb8aba62/

Behaviour

Modifies system certificate store

Unpacked files

SH256 hash:

46725598f6c781f6fd178d6f1bce8c93bb21a6a27d6daebc9ff57878a1a301ad

MD5 hash:

deeec9c9f04b67a2e6a55eff7cef8aef

SHA1 hash:

3640bf3d7b6ed87548a2d14d27262e8ef9010f94

Link:

https://www.unpac.me/results/4e9ac69e-2f39-4fa0-ab6b-2f73678c96b8/

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/46725598f6c7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/46725598f6c781f6fd178d6f1bce8c93bb21a6a27d6daebc9ff57878a1a301ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Windows_Trojan_CobaltStrike_1787eef5 Create hunting rule
Author:	Elastic Security
Description:	CS shellcode variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample