MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77e4776f6db16b38b2bd6cd494017379be4cb291caab5300764c9d2857c49108. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77e4776f6db16b38b2bd6cd494017379be4cb291caab5300764c9d2857c49108
SHA3-384 hash: 14efffa2d890b34f72fedadde44cdecadf2a0fcbd434a4c2e4bb3ae7c2e6dae23246679b622fe108c20906271ebe4845
SHA1 hash: e96eed1b8ac0a86bacf7704cd546480a0db5fadc
MD5 hash: 765cf8227a47cef845b23e6b56acf926
humanhash: alpha-cola-twenty-maryland
File name:765cf8227a47cef845b23e6b56acf926.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:2'192'640 bytes
First seen:2021-07-13 12:35:09 UTC
Last seen:2021-07-13 14:02:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash db7948f7bb94c20ceb8e0b74d33d72f3 (2 x CobaltStrike)
ssdeep 49152:aH3vF85FshhD4ggDZ7tPxddC4dQnnwVc64E:cFWPx1dQnnwG6f
Threatray 164 similar samples on MalwareBazaar
TLSH T15CA56B03F79548E7C499C27882665362BB71FC89473AB3AB5BD41E312E32B905F6D384
Reporter abuse_ch
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
485
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171373/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37225344.5215.1386.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BIOPASS RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16238f1c-74dc-48aa-ba5c-cd2b8331c73c
Result
Threat name:
CobaltStrike Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
87 / 100
Link:
https://www.joesandbox.com/analysis/815530
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Gathers network related connection and port information
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Yara detected CobaltStrike
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447941 Sample: 8v4iWYLvKJ.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 87 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 5 other signatures 2->109 8 luac.exe 17 2->8         started        12 8v4iWYLvKJ.exe 26 2->12         started        15 Flash.exe 1 256 2->15         started        process3 dnsIp4 81 45.154.13.94, 443, 49716, 49719 BOHOBEACHCLUBSAHN Netherlands 8->81 83 lualibs.oss-cn-hongkong.aliyuncs.com 47.75.19.154, 49711, 49751, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 8->83 117 Gathers network related connection and port information 8->117 17 cmd.exe 8->17         started        19 cmd.exe 1 8->19         started        23 cmd.exe 1 8->23         started        25 2 other processes 8->25 85 eu-central-1.oss-acc.aliyuncs.com 47.254.186.176, 49710, 49752, 49757 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->85 91 3 other IPs or domains 12->91 63 C:\Users\user\AppData\Roaming\Flash.exe, PE32 12->63 dropped 65 C:\ProgramData\lua\luac.exe, PE32 12->65 dropped 67 C:\ProgramData\lua\lua.exe, PE32 12->67 dropped 69 7 other files (none is malicious) 12->69 dropped 87 101.33.10.52, 443, 49726, 49727 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 15->87 89 101.33.11.25, 443, 49725 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 15->89 93 8 other IPs or domains 15->93 119 Detected unpacking (changes PE section rights) 15->119 file5 signatures6 process7 dnsIp8 27 lua.exe 17->27         started        32 conhost.exe 17->32         started        79 127.0.0.1 unknown unknown 19->79 111 Uses netstat to query active network connections and open ports 19->111 113 Uses ipconfig to lookup or modify the Windows network settings 19->113 115 Gathers network related connection and port information 19->115 34 conhost.exe 19->34         started        42 3 other processes 19->42 36 conhost.exe 23->36         started        44 3 other processes 23->44 38 WMIC.exe 1 25->38         started        40 conhost.exe 25->40         started        46 6 other processes 25->46 signatures9 process10 dnsIp11 95 softres.oss-accelerate.aliyuncs.com 27->95 97 oss-acc-allline.aliyuncs.com.gds.alibabadns.com 27->97 99 4 other IPs or domains 27->99 71 C:\ProgramData\lua\ScheduleTask.dll, PE32 27->71 dropped 73 C:\ProgramData\...\libssl-1_1-x64.dll, PE32+ 27->73 dropped 75 C:\ProgramData\...\libcrypto-1_1-x64.dll, PE32+ 27->75 dropped 77 760 other files (none is malicious) 27->77 dropped 121 Gathers network related connection and port information 27->121 48 cmd.exe 27->48         started        51 cmd.exe 27->51         started        53 cmd.exe 27->53         started        61 107 other processes 27->61 55 NETSTAT.EXE 34->55         started        57 findstr.exe 34->57         started        59 findstr.exe 34->59         started        file12 signatures13 process14 signatures15 101 Gathers network related connection and port information 48->101
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77e4776f6db16b38b2bd6cd494017379be4cb291caab5300764c9d2857c49108/
Threat name:
Win64.Trojan.Cometer
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 12:12:54 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7sho33nwfvtrmv5ntkjialtpg7ezmurzkvvgadwjsosqv6eseea._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
06a2955307b8c26009b441754df7d0c94d3a913b0644a3c8779f592648dd1a0c
CobaltStrike
0adcf0b5e5216f4ac6fe82d4e2c7e351845cfaf6717552aaa0c80d643ee9f2ee
CobaltStrike
3175976cea0ac6b13312f1922423fca3f3d0bf99848f6b575c1063ed0f0cb8f4
CobaltStrike
5351984d7eaf9464f27c202f94b6475ffb73904191c973d7c737a0f3cdfbde0e
CobaltStrike
7566ae70559b61077911e17564dd470be33abcf8e725352f546a731af43e5297
CobaltStrike
75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad
CobaltStrike
a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e
CobaltStrike
a8f0dbc38f4fa81b8dc71d6a69df4a5a9963ad57de7c491a61044dbe42f586e5
CobaltStrike
e52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb
CobaltStrike
e571cd3a4c0744cb3c5443b868577adced331a7545fcb6e2ed0efbe7506a2f9b
CobaltStrike
+ 154 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:metasploit botnet:305419896 backdoor spyware stealer trojan
Link:
https://tria.ge/reports/210713-jhh84r1gz6/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Cobaltstrike
MetaSploit
Malware Config
C2 Extraction:
http://45.154.13.94:443/F8JD2R
http://45.154.13.94:443/updates
Unpacked files
SH256 hash:
77e4776f6db16b38b2bd6cd494017379be4cb291caab5300764c9d2857c49108
MD5 hash:
765cf8227a47cef845b23e6b56acf926
SHA1 hash:
e96eed1b8ac0a86bacf7704cd546480a0db5fadc
Link:
https://www.unpac.me/results/3295a0f4-157f-4948-ba8b-4cb7054ccd4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/77e4776f6db16b38b2bd6cd494017379be4cb291caab5300764c9d2857c49108

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171373/

Comments