MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 14

Intelligence 14 IOCs YARA 14 File information Comments

SHA256 hash:	79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab
SHA3-384 hash:	de9139a8c0d84baeeff64739fc83cbd08b9a892839cbc9626580bf49249a052c05a2d8a46d13f961f79deaad5814983e
SHA1 hash:	8ae489a1dac4a0fcf5bda8cc62a5c149fb154773
MD5 hash:	724e5d44880e4ac026b1881b88f2d2e2
humanhash:	lamp-uranus-purple-alanine
File name:	cs.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	228'864 bytes
First seen:	2022-01-13 22:47:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	829da329ce140d873b4a8bde2cbfaa7e (254 x CobaltStrike)
ssdeep	6144:BY8SEQzT9io3eDwXu7WfwjV/VNgXXeehTTv4J:BYtr9ioKW2VdNgXXe9
Threatray	635 similar samples on MalwareBazaar
TLSH	T18024DFFA0EFC7C62F546D1B049B407FE8CEC7D9308A91A69CAF19F2348E2668530D164
Reporter	@drb_ra
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

Mail intelligence

No data

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cobaltstrike_shellcode.exe

Verdict:

No threats detected

Analysis date:

2022-01-13 22:47:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6399f5dc-e4bb-4bdb-87ef-de74d5b4ebe8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/219178/

Detection(s):

Win.Backdoor.CobaltStrike-9909816-0

SecuriteInfo.com.Crypt5.BLLV.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the system32 directory

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4143/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug obfuscated packed

Link:

https://www.filescan.io/uploads/61e0ac2ae997359713e89409/reports/4a0957ea-8a2b-40a8-b615-f97153535e93/overview

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dd65170a-8499-4658-bc23-8cd5a1e33076

Result

Threat name:

CobaltStrike ReflectiveLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/920488

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected ReflectiveLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2022-01-13 22:48:13 UTC

File Type:

PE (Exe)

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://www.spamhaus.org/query/hash/phn5wndkvj6ync3korksorzensmi4wqywhvhrq7yix6eskaargvq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

61a0bca8460972abed1f283c9e8a78e43e17e5177cc3a826d8d6beb4fcff14c2

CobaltStrike

840dd55418bf2bd428f401ee565f08aef2c92eab8b4709158a845dd981dc090e

CobaltStrike

b610633c3c8bbd28bd27021b942b8e4814466d6886525783bc88f87505ed4182

CobaltStrike

c1dd2c50a5ca07f1664a0950bcc93b2999bf32b5d11848f368130a43a364cf82

CobaltStrike

+ 625 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1646603070 backdoor trojan

Link:

https://tria.ge/reports/220113-2q4bvachh9/

Behaviour

Cobaltstrike

Malware Config

C2 Extraction:

http://web.romeoechodeltateam.com:443/zC

Unpacked files

SH256 hash:

000ed573f53719d7d021e262f9e37c10be1934f18b85d15607d936964af6497b

MD5 hash:

41b0a14f5d4876b94e1041102fa9e8ac

SHA1 hash:

85c10e76e1912ee0c30f40c2cd444fd1ff40768f

Detections:

win_cobalt_strike_auto

Link:

https://www.unpac.me/results/83a424f9-5693-4b9a-bfc8-67b73eac4b11/

SH256 hash:

3e0111c91665023a9fa6c7da5a2d4f952a061a5cdc9f1f39f43d28497b2bd355

MD5 hash:

d88a669d4245fcee28919fe4325b6f04

SHA1 hash:

290a4c870294832dd5964c36cec64b82a5841d42

Detections:

win_cobalt_strike_auto

Link:

https://www.unpac.me/results/83a424f9-5693-4b9a-bfc8-67b73eac4b11/

SH256 hash:

79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab

MD5 hash:

724e5d44880e4ac026b1881b88f2d2e2

SHA1 hash:

8ae489a1dac4a0fcf5bda8cc62a5c149fb154773

Link:

https://www.unpac.me/results/83a424f9-5693-4b9a-bfc8-67b73eac4b11/

AV coverage:

73.53%

AV detections:

50 / 68

Link:

https://www.virustotal.com/gui/file/79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab/detection/f-79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab-1642114027

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab

YARA Signatures

MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:	Cobaltbaltstrike_strike_Payload_XORed Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	ditekshen, enzo & Elastic
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_ReflectiveLoader_RID3297 Create hunting rule
Author:	Florian Roth
Description:	Detects reflective loader (Cobalt Strike)
Reference:	http://www.clearskysec.com/tulip

Rule name:	CobaltStrike_Unmodifed_Beacon Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects unmodified CobaltStrike beacon DLL

Rule name:	crime_win32_csbeacon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Cobalt Strike loader
Reference:	https://twitter.com/VK_Intel/status/1239632822358474753

Rule name:	CS_beacon Create hunting rule
Author:	Etienne Maynier tek@randhome.io

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5 Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in CobaltStrike shellcode
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Rule name:	HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5_RID361D Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in malware samples in APT report in DarkHydrus
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	detects Reflective DLL injection artifacts

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	WiltedTulip_ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:	http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/219178/

Comments

Login required

You need to login to in order to write a comment. Login with your Twitter account.

No comments found for this malware sample