MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 12

Intelligence 12 IOCs YARA 15 File information Comments

SHA256 hash:	66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa
SHA3-384 hash:	bf5e2f8bca8809d1defd49c0bfcff36ecad31e633b1e2f9e3d8a952ceb8f3c2e5153d66c50b3ffe67e64626512ab2b36
SHA1 hash:	4071c91cc1081ea319e1f5ecb81dd49f9b7c46cd
MD5 hash:	3d3260134be0abaf29a5189112899315
humanhash:	king-ink-sierra-mississippi
File name:	66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	2'588'672 bytes
First seen:	2023-05-23 10:08:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a5d9c2ce025206d93665949648b5e519 (1 x CobaltStrike)
ssdeep	49152:Inn3i2JMaBTfoBAsaYJLNuJ+eKVMWQE0LOVTdLB6/1Tb0ll9eUo3:IfBTfSu
Threatray	329 similar samples on MalwareBazaar
TLSH	T10BC5046DBDAC9533E61039BFE6E3E51C8C235C22274148D791436B939C3F96A45B2E32
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	60e584e6c0b49cc8 (2 x CobaltStrike)
Reporter	Neiki
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

Vendor Threat Intelligence

Malware family:

cobaltstrike

ID:

File name:

66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa.exe

Verdict:

Malicious activity

Analysis date:

2023-05-23 10:09:25 UTC

Tags:

cobaltstrike

Link:

https://app.any.run/tasks/2341bd8a-4ea1-4a47-80c2-eb8b30e441a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.DropperX-gen.10453.9168.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

cobalt greyware

Link:

https://www.filescan.io/uploads/646c90c5f7a5bcf785660b37/reports/be600b6f-409c-42b9-afa0-0950eb1d3b3b/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/779e768c-dbf0-4d08-9262-93bb9d76cdbd

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1240683

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa/

Threat name:

Win64.Backdoor.CobaltStrikeBeacon

Status:

Malicious

First seen:

2023-05-23 10:09:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 22 (59.09%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m34z2aexrsm7fniclljbg4zpcvbtmws42vmus43puukvfqq5ex5a._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

1a71685e9d69c3e7619c5f20dbc3bbd693efb1db2370f5127d7f5c81df2baf3b

CobaltStrike

36dadd6c2fd3733c5a24bf74e439aac09b6b9dc79213fe34387015c6cf95afa2

CobaltStrike

7c8621cc3827c1ffbd39ebc8b24e430e2e6aa5bd7b148edc110be9b2914799dc

CobaltStrike

b375e37ee678d8fa056e06cfeccbe1077d517365a46981a811adb637ba5c838c

CobaltStrike

cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8

CobaltStrike

dcc481b5bdd6f0d48d0e8d36d50404628f905b7ccb15ad844658669747c02bfa

CobaltStrike

+ 319 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1000000 backdoor trojan

Link:

https://tria.ge/reports/230523-l6sx2seg64/

Behaviour

Program crash

Cobaltstrike

Malware Config

C2 Extraction:

http://124.220.154.54:443/logo.jpg

Unpacked files

SH256 hash:

66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa

MD5 hash:

3d3260134be0abaf29a5189112899315

SHA1 hash:

4071c91cc1081ea319e1f5ecb81dd49f9b7c46cd

Link:

https://www.unpac.me/results/66d9323f-53c0-4caf-b602-74c37856789b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	ditekshen, enzo & Elastic
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_C2_Encoded_XOR_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CobaltStrike_MZ_Launcher Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike MZ header ReflectiveLoader launcher

Rule name:	CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 Create hunting rule
Author:	gssincla@google.com
Description:	Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6
Reference:	https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse

Rule name:	CobaltStrike__Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 Create hunting rule
Author:	gssincla@google.com

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Trojan_Raw_Generic_4 Create hunting rule
Author:	FireEye
Reference:	https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

Rule name:	Windows_Trojan_CobaltStrike_1787eef5 Create hunting rule
Author:	Elastic Security
Description:	CS shellcode variants

Rule name:	Windows_Trojan_CobaltStrike_f0b627fc Create hunting rule
Author:	Elastic Security
Description:	Rule for beacon reflective loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample