MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



CobaltStrike


Vendor detections: 14


Intelligence 14 IOCs YARA 14 File information Comments

SHA256 hash: 79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab
SHA3-384 hash: de9139a8c0d84baeeff64739fc83cbd08b9a892839cbc9626580bf49249a052c05a2d8a46d13f961f79deaad5814983e
SHA1 hash: 8ae489a1dac4a0fcf5bda8cc62a5c149fb154773
MD5 hash: 724e5d44880e4ac026b1881b88f2d2e2
humanhash: lamp-uranus-purple-alanine
File name:cs.exe
Download: download sample
Signature CobaltStrike
File size:228'864 bytes
First seen:2022-01-13 22:47:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 829da329ce140d873b4a8bde2cbfaa7e (254 x CobaltStrike)
ssdeep 6144:BY8SEQzT9io3eDwXu7WfwjV/VNgXXeehTTv4J:BYtr9ioKW2VdNgXXe9
Threatray 635 similar samples on MalwareBazaar
TLSH T18024DFFA0EFC7C62F546D1B049B407FE8CEC7D9308A91A69CAF19F2348E2668530D164
Reporter @drb_ra
Tags:CobaltStrike

Intelligence


File Origin
# of uploads :
1
# of downloads :
234
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cobaltstrike_shellcode.exe
Verdict:
No threats detected
Analysis date:
2022-01-13 22:47:07 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the system32 directory
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug obfuscated packed
Malware family:
Cobalt Strike
Verdict:
Malicious
Result
Threat name:
CobaltStrike ReflectiveLoader
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected ReflectiveLoader
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.CobaltStrike
Status:
Malicious
First seen:
2022-01-13 22:48:13 UTC
File Type:
PE (Exe)
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Result
Malware family:
cobaltstrike
Score:
  10/10
Tags:
family:cobaltstrike botnet:1646603070 backdoor trojan
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://web.romeoechodeltateam.com:443/zC
Unpacked files
SH256 hash:
000ed573f53719d7d021e262f9e37c10be1934f18b85d15607d936964af6497b
MD5 hash:
41b0a14f5d4876b94e1041102fa9e8ac
SHA1 hash:
85c10e76e1912ee0c30f40c2cd444fd1ff40768f
Detections:
win_cobalt_strike_auto
SH256 hash:
3e0111c91665023a9fa6c7da5a2d4f952a061a5cdc9f1f39f43d28497b2bd355
MD5 hash:
d88a669d4245fcee28919fe4325b6f04
SHA1 hash:
290a4c870294832dd5964c36cec64b82a5841d42
Detections:
win_cobalt_strike_auto
SH256 hash:
79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab
MD5 hash:
724e5d44880e4ac026b1881b88f2d2e2
SHA1 hash:
8ae489a1dac4a0fcf5bda8cc62a5c149fb154773

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:Cobaltbaltstrike_strike_Payload_XORed
Author:Avast Threat Intel Team
Description:Detects CobaltStrike payloads
Reference:https://github.com/avast/ioc
Rule name:CobaltStrikeBeacon
Author:ditekshen, enzo & Elastic
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_ReflectiveLoader_RID3297
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike)
Reference:http://www.clearskysec.com/tulip
Rule name:CobaltStrike_Unmodifed_Beacon
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:CS_beacon
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_Strings
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5
Author:Florian Roth
Description:Detects strings found in CobaltStrike shellcode
Reference:https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
Rule name:HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5_RID361D
Author:Florian Roth
Description:Detects strings found in malware samples in APT report in DarkHydrus
Reference:https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
Rule name:HKTL_Win_CobaltStrike
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments