MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 10


Intelligence 10 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762
SHA3-384 hash: f257c1f7c58c51be80f11ba16ea833c8c2c80565dbb359f18ebab11a8e92b012626fd391159b870fac0baa6496d568b0
SHA1 hash: 100381f2cb15dcb02dc0af599c8cbc86f9ae8a43
MD5 hash: a4358c243781cfebde38208a7de89ef9
humanhash: avocado-three-don-bacon
File name:69138.bin
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:273'920 bytes
First seen:2021-02-09 18:57:53 UTC
Last seen:2021-02-09 21:54:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 568839388b24ae4abce14a8d1d27ca56 (2 x CobaltStrike)
ssdeep 6144:Ir89Fsud7SU3D0/HJ2s/drxhKuEKEueAOVMcgY5:IYTsud733wvJ2s/dIKa3LgY5
Threatray 216 similar samples on MalwareBazaar
TLSH BC449D0275C2C0B3C5631132096CD7769A3EBD204F618EEBA3D45E7DCE706D19E36A6A
Reporter JAMESWT_WT
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
2
# of downloads :
496
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://bobcatofchico.com/69138.exe
Verdict:
Malicious activity
Analysis date:
2021-02-09 18:26:50 UTC
Tags:
trojan cobaltstrike
Link:
https://app.any.run/tasks/b9c8093a-9aec-41f8-bd10-fac2b7e036db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116238/
Detection(s):
SecuriteInfo.com.Trojan.Heur.qGW@YcPJWLli.14163.19943.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/603489
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762/
Threat name:
Win32.Hacktool.MetaSploit
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 18:39:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 29 (62.07%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nktqcquz4aoojf4ju5jf2dvt2tlilqrazluo2stpue24cdjso5ra._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0669ed0b204eb612f316f1f9d0724ac839c9f0bf8ae90df6d045d0bff0a0951c
CobaltStrike
53f90f56eddfb8953d72e1d20dde2b97d40021318fd32bf30710d24eeb4c4a30
CobaltStrike
58799ca0300fc3d337d339862c0d88519279bb77ed1ebf36634aaf63e7e47cbe
CobaltStrike
7801b75f545c24cf7fba8e98dc4505d21c1a11fd228d04685f714d2a0bef83f0
CobaltStrike
8c5d071dfff8c5ce27afc37e287a64ac273ac70d7bc556efd368616c6cc6386b
CobaltStrike
8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081
CobaltStrike
9b27a5018742f9fd6d6c1f94e56215b64eaf0b263e43b82feec02ceeab208398
CobaltStrike
cc2c6d177b60a3ec0aec1d38ba1f7942293ac85e688182f545720a952b511a97
CobaltStrike
d97f393c8e293b9c4ff0dc4674ba0f60544d75c029761a63f5fd11926bee57d9
CobaltStrike
daf02e94d294b29896ebfcab021f4184a232617d876f4a8745d10d803a170775
CobaltStrike
+ 206 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:metasploit backdoor trojan
Link:
https://tria.ge/reports/210209-5fx9kw44te/
Behaviour
Cobaltstrike
MetaSploit
Malware Config
C2 Extraction:
http://69.30.232.138:80/iBNc
http://69.30.232.138:80/cx
Unpacked files
SH256 hash:
6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762
MD5 hash:
a4358c243781cfebde38208a7de89ef9
SHA1 hash:
100381f2cb15dcb02dc0af599c8cbc86f9ae8a43
Link:
https://www.unpac.me/results/5bd7ab4e-2f4f-46c5-b636-17cfd9410f46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:MALWARE_Win_CobaltStrike
Create hunting rule
Author:ditekSHen
Description:CobaltStrike payload
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762

(this sample)

  
X
https://twitter.com/malware_traffic/status/1359208135576199179?s=20
  
URLhaus
https://urlhaus.abuse.ch/url/997502/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116238/

Comments