MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 688bad6e742d9ba51f0205a1d2d83ecd555d0213c94b5684b1aac4525f971658. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 688bad6e742d9ba51f0205a1d2d83ecd555d0213c94b5684b1aac4525f971658
SHA3-384 hash: d3093903235d1f0105e701281486c9ee58571ad68b09b78bc0ec3e5ba09e3c150c26318a48c7b6de3806d636452fd927
SHA1 hash: c17e7ef7f9f8cd5e398836fb7bd7b08d6191b5ec
MD5 hash: 7ed8307064ed69abfad67db1ecc30f68
humanhash: five-equal-floor-asparagus
File name:cs.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:224'256 bytes
First seen:2021-08-28 18:38:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep 6144:LK9mtDBmssioq+0wU4rE4/yIatouQIzSf0Pj3:LLt1mFipoVEd/1uf0L3
Threatray 458 similar samples on MalwareBazaar
TLSH T17524DFBA3D4F0EA9F4C7193B107565BEBE5DB447A8B1C8204F639C9BD428277A319231
Reporter drb_ra
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
1
# of downloads :
595
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cs.exe
Verdict:
Malicious activity
Analysis date:
2021-08-28 18:39:13 UTC
Tags:
trojan cobaltstrike
Link:
https://app.any.run/tasks/fa1bed8a-9aec-4b25-92a4-ee9e9edd6711

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183122/
Detection(s):
SecuriteInfo.com.Crypt5.BLLV.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffba8e86-b5d7-4a1b-ae17-3115b1026bb5
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/840829
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/688bad6e742d9ba51f0205a1d2d83ecd555d0213c94b5684b1aac4525f971658/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 18:39:08 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncf223tufwn2khycawq5fwb6zvkv2aqtzffvnbfrvlcfex4xczma._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
387fa33c2ca6ae4613cb2a8bf5acdb90358af364062205ebb3aea458982eb62f
CobaltStrike
44a62ceedf74271297ab0009697dc8c3aa9c4329c10eb0b55c7bea920474a41d
CobaltStrike
5dff57c390cb00a579eba8bba0295e1eab295a43c6a279f8a3bf469f794bf16d
CobaltStrike
6b0734b66f184cd97c215f3e553ab5cc2a88e4be5baf34f2094d0fa40c678d34
CobaltStrike
85134ebe10314d1ce81da73525f6c44bb12c9464523df74f6a10dfe974df217f
CobaltStrike
cc2c6d177b60a3ec0aec1d38ba1f7942293ac85e688182f545720a952b511a97
CobaltStrike
d0e91145242e2c5e18b651260993c4559a016e7b3f5e10167b04949dcea8978a
CobaltStrike
+ 448 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:1 backdoor trojan
Link:
https://tria.ge/reports/210828-1faw9fp4jj/
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://104.160.33.178:8081/en_US/all.js
Unpacked files
SH256 hash:
4fca3db83e3e2eb92159258c64ef2176b44f1813b13ba2abf33629b1fc027af5
MD5 hash:
db74bd503cb3f5552aee0d952544ba6b
SHA1 hash:
4482b249a73497af8c9779ed51c45ff2eafbad45
Link:
https://www.unpac.me/results/d7f86b3a-f580-432a-97a8-e9469332db2c/
SH256 hash:
21679e4bc63f97937fdf480b4a9aa774020e24fcb426d216b5a838f8d22b0a86
MD5 hash:
0494f59b10f55e2d9621ed2b6b0d3f6d
SHA1 hash:
fd48e9f77c464a51366151522c59199dfc7a2b26
Link:
https://www.unpac.me/results/d7f86b3a-f580-432a-97a8-e9469332db2c/
SH256 hash:
688bad6e742d9ba51f0205a1d2d83ecd555d0213c94b5684b1aac4525f971658
MD5 hash:
7ed8307064ed69abfad67db1ecc30f68
SHA1 hash:
c17e7ef7f9f8cd5e398836fb7bd7b08d6191b5ec
Link:
https://www.unpac.me/results/d7f86b3a-f580-432a-97a8-e9469332db2c/
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/688bad6e742d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/688bad6e742d9ba51f0205a1d2d83ecd555d0213c94b5684b1aac4525f971658

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobaltbaltstrike_strike_Payload_XORed
Create hunting rule
Author:Avast Threat Intel Team
Description:Detects CobaltStrike payloads
Reference:https://github.com/avast/ioc
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5
Create hunting rule
Author:Florian Roth
Description:Detects strings found in CobaltStrike shellcode
Reference:https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183122/

Comments