MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8518d86b514edfb1ff301d6526e4fbbc0d65aec52442dc108e0797a34c334879. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 13


Intelligence 13 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8518d86b514edfb1ff301d6526e4fbbc0d65aec52442dc108e0797a34c334879
SHA3-384 hash: 2a4e89558f5f6525a8345d46121de5bc34157d479c0d7645e3eb56d1ee11cc49578dd5a4a1651a4ed5d9e1fb1d086661
SHA1 hash: c140b7365e85234eb7eed3c5e048cba40553c8e4
MD5 hash: f797ff18e5508da7ed1732b11d800298
humanhash: hotel-delta-oven-whiskey
File name:2023-02-23-DLL-for-Cobalt-Strike.bin
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:276'992 bytes
First seen:2023-02-27 16:51:08 UTC
Last seen:2023-02-28 21:38:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4f93fe95f579103440ea09c89ca9093 (1 x CobaltStrike)
ssdeep 6144:cUyU+8VVVOjeoo64Kk4OjrpwibuNe1wOTLmw2AyIk5UnrKM:cURp/OjHv4Kk1jNwauNe1wOTv2AUUr
TLSH T12D44AF023B713CD9FE17E8388CDA2855AF752EE75B95DB2611E1042A1C8F789E98CD13
Reporter malware_traffic
Tags:Cobalt Strike CobaltStrike dll exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
265
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
binary.dat
Verdict:
No threats detected
Analysis date:
2023-02-24 22:21:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b363224b-30b0-4b66-9f7f-b270c2bf07f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370362/
Detection(s):
SecuriteInfo.com.Trojan.Beacon.Shellcode.Marte.1.29442.30362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobaltstrike obfuscated
Link:
https://www.filescan.io/uploads/63fcdfb4663463c1cb679f32/reports/62e47013-48f4-4606-8208-fe9affa1a5b9/overview
Verdict:
Malicious
Labled as:
Trojan.Beacon.Shellcode.Marte.Generic
Link:
https://www.hybrid-analysis.com/sample/8518d86b514edfb1ff301d6526e4fbbc0d65aec52442dc108e0797a34c334879
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/acc87e90-869c-4753-9fc2-f7e75eb53e4e
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1183372
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 816204 Sample: 2023-02-23-DLL-for-Cobalt-S... Startdate: 27/02/2023 Architecture: WINDOWS Score: 92 15 Malicious sample detected (through community Yara rule) 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected CobaltStrike 2->19 21 3 other signatures 2->21 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8518d86b514edfb1ff301d6526e4fbbc0d65aec52442dc108e0797a34c334879/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2023-02-25 01:32:35 UTC
File Type:
PE+ (Dll)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qumnq22rj3p3d7zqdvssnzh3xqgwllwferbnyeeoa6l2gtbtjb4q._file
Verdict:
malicious
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:674054486
Link:
https://tria.ge/reports/230227-vddgbsed9s/
Malware Config
C2 Extraction:
http://aspnetcenter.com:80/da.html
Unpacked files
SH256 hash:
8518d86b514edfb1ff301d6526e4fbbc0d65aec52442dc108e0797a34c334879
MD5 hash:
f797ff18e5508da7ed1732b11d800298
SHA1 hash:
c140b7365e85234eb7eed3c5e048cba40553c8e4
Detections:
cobaltstrike_xor_config
Create hunting rule
Link:
https://www.unpac.me/results/56046c9c-dadc-4468-930b-f512e44b51be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/8518d86b514edfb1ff301d6526e4fbbc0d65aec52442dc108e0797a34c334879

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobaltbaltstrike_Beacon_x64
Create hunting rule
Author:Avast Threat Intel Team
Description:Detects CobaltStrike payloads
Reference:https://github.com/avast/ioc
Rule name:CobaltStrikeBeacon
Create hunting rule
Author:ditekshen, enzo & Elastic
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_C2_Encoded_XOR_Config_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike C2 encoded profile configuration
Rule name:CobaltStrike_MZ_Launcher
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike MZ header ReflectiveLoader launcher
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Author:gssincla@google.com
Description:Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6
Reference:https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse
Rule name:CobaltStrike__Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Author:gssincla@google.com
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:malware_CobaltStrike_v3v4
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect CobaltStrike Beacon in memory
Reference:https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Windows_Trojan_CobaltStrike_1787eef5
Create hunting rule
Author:Elastic Security
Description:CS shellcode variants
Rule name:Windows_Trojan_CobaltStrike_b54b94ac
Create hunting rule
Description:Rule for beacon sleep obfuscation routine
Rule name:Windows_Trojan_CobaltStrike_b54b94ac
Create hunting rule
Author:Elastic Security
Description:Rule for beacon sleep obfuscation routine
Rule name:Windows_Trojan_CobaltStrike_f0b627fc
Create hunting rule
Description:Rule for beacon reflective loader
Rule name:Windows_Trojan_CobaltStrike_f0b627fc
Create hunting rule
Author:Elastic Security
Description:Rule for beacon reflective loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370362/

Comments