MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f7191602d1224ce2b9636436f6a61cb47d5281fd1e4e7f2a49aabfb0e73ed5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	7f7191602d1224ce2b9636436f6a61cb47d5281fd1e4e7f2a49aabfb0e73ed5c
SHA3-384 hash:	a301f08c6ecc6646ccd75b672934ffd94f8da7c6690f83ebb46dd28cd131a41af496ded4cbed0cb3699beb10f662fc5d
SHA1 hash:	c8919251d16c4562c1233d3af073a3cc9071ce7e
MD5 hash:	3e9caf4d1e1b8d9a058c60e42bc44677
humanhash:	colorado-island-maryland-ohio
File name:	cs.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	228'864 bytes
First seen:	2022-06-29 00:12:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep	6144:cAt0p5uLzD4RBunt1ES4laJIdJrKHjX44p0Hi:cNp5uLz8RGt2S4l9BKHjXlpg
Threatray	673 similar samples on MalwareBazaar
TLSH	T1F724E07C01876450E00A8B76075319F86EF6F01FDB3E47DB5CBAB2E394A55267900BBA
TrID	38.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	drb_ra
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

612

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cobaltstrike_shellcode.exe

Verdict:

Malicious activity

Analysis date:

2022-06-28 23:17:05 UTC

Tags:

cobalt

Link:

https://app.any.run/tasks/7a35c335-903e-4e34-b158-a79fdb4f8c8b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/284070/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the system32 directory

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug cobalt obfuscated packed rozena siggen6 swrort virus

Link:

https://www.filescan.io/uploads/62bb99231ebc913a42045e0d/reports/4f49fcce-99e9-4d71-96e8-69f349003f5c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/83eea60c-e83d-4aec-8046-8332ee77f081

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1021556

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f7191602d1224ce2b9636436f6a61cb47d5281fd1e4e7f2a49aabfb0e73ed5c/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2022-06-29 00:13:06 UTC

File Type:

PE (Exe)

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p5yzcybncism4k4wgzbw62tbznd5kka72hsop4vetkv7wdtt5voa._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

22b125d83e7497491777b1d35306054023475e4efb9ca67f15c16177f626c0e3

CobaltStrike

721c6cd41fa38ac1ac3ef3c20f00d942dbf7299ac4ab0f0ad7325a4c006824c2

CobaltStrike

79dbdb346aaa7d868b6a74552747246c988e5a18b1ea78c3f845fc49280089ab

CobaltStrike

8c29f1be7dafc7b0b64581e8b28857e988acf33874ce6af6c029c674be60025e

CobaltStrike

8f7b9a377a14260d8bdcc6e18e749013a0c2c09a60d46fa026d77f6d92b7b801

CobaltStrike

+ 663 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1373622571 backdoor trojan

Link:

https://tria.ge/reports/220629-ahqx1afbe2/

Behaviour

Modifies system certificate store

Cobaltstrike

Malware Config

C2 Extraction:

http://sewahealthcare.com:443/discussion/

Unpacked files

SH256 hash:

209ffef3f625e53445806dd565fb8678281ede6ba1c7187e80e615c51d6131ee

MD5 hash:

eb98e27504148142ee71395323d03b7b

SHA1 hash:

a1d8857cce4db37c2fbb6b829580e0cc46c65e1e

Detections:

win_cobalt_strike_auto

Link:

https://www.unpac.me/results/06fc043c-7e02-44c3-8788-502af1e275e8/

SH256 hash:

08222ef383707bba13bd3d392ee5b7692bea564e3ecba9786a97866b2c1f42e4

MD5 hash:

7ad09e293439e6421b2d1c6f99c98ef5

SHA1 hash:

96de3eb6b084499bf9d0e60c89b792a766dbec33

Detections:

cobaltstrike_xor_config

Link:

https://www.unpac.me/results/06fc043c-7e02-44c3-8788-502af1e275e8/

SH256 hash:

7f7191602d1224ce2b9636436f6a61cb47d5281fd1e4e7f2a49aabfb0e73ed5c

MD5 hash:

3e9caf4d1e1b8d9a058c60e42bc44677

SHA1 hash:

c8919251d16c4562c1233d3af073a3cc9071ce7e

Link:

https://www.unpac.me/results/06fc043c-7e02-44c3-8788-502af1e275e8/

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7f7191602d12/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f7191602d1224ce2b9636436f6a61cb47d5281fd1e4e7f2a49aabfb0e73ed5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_strike_Payload_XORed Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5 Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in CobaltStrike shellcode
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Rule name:	HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5_RID361D Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in malware samples in APT report in DarkHydrus
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/284070/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample