MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c29f1be7dafc7b0b64581e8b28857e988acf33874ce6af6c029c674be60025e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	8c29f1be7dafc7b0b64581e8b28857e988acf33874ce6af6c029c674be60025e
SHA3-384 hash:	223906907e50b275f419134e684162eec3141161598d07e16622d8f1cc6379683f8a7b43ae31b17f2ab9448ece52ed7f
SHA1 hash:	4f251af4e1cb6cd5aba192be20e16d4524083096
MD5 hash:	bc981a5dee62baa3a846a4e27239ac87
humanhash:	freddie-california-sixteen-tango
File name:	cs.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	226'816 bytes
First seen:	2022-02-07 16:08:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep	3072:AehkPLQDqKbB0BBV9+dR6mFxTwTlUpPVrKIcGEWYGev+suOBPnFi6rFy60lWqDT:ci176uTaerlVKPuO5nFi6rFyiE
TLSH	T18F24CE776A4C8763D01F44FCF4F636E48E26C1FB89D2583AE79571E8818A9143E3A391
Reporter	drb_ra
Tags:	CobaltStrike

Intelligence

File Origin

# of uploads :

# of downloads :

688

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cobaltstrike_shellcode.exe

Verdict:

No threats detected

Analysis date:

2022-02-07 16:08:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/be94b977-f350-41be-8ccf-4f49ee0a4e4e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/236077/

Detection(s):

Win.Backdoor.CobaltStrike-9909816-0

SecuriteInfo.com.Crypt5.BLLV.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Creating a file in the system32 directory

Sending a custom TCP request

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6271/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug obfuscated packed

Link:

https://www.filescan.io/uploads/620144204077c8b9a01bcb5f/reports/3120d97e-d098-4a9c-b47f-e914dac3f85f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d9a8e74e-362e-4822-a6a6-95a5307441e1

Result

Threat name:

CobaltStrike ReflectiveLoader

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/935318

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8c29f1be7dafc7b0b64581e8b28857e988acf33874ce6af6c029c674be60025e/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2022-02-07 16:09:11 UTC

File Type:

PE (Exe)

AV detection:

38 of 43 (88.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rqu7dpt5v7d3bnsfqhulfccx5gekz4zyothgv5wafhdhjptaajpa._file

Verdict:

malicious

Label(s):

cobaltstrike

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:683371625 backdoor trojan

Link:

https://tria.ge/reports/220207-tlvvxaecdr/

Behaviour

Cobaltstrike

Malware Config

C2 Extraction:

http://rsasecu.com:80/s/ref=nb_sb_noss_1/743-21494898-1923945/field-keywords=man

Unpacked files

SH256 hash:

cc099f62d7a2a068fda0bdcbbeba09e503a58f45c5d37b82f4763c3837d7de14

MD5 hash:

414ebcdda08dbd1f6757429a5f4cdd1b

SHA1 hash:

2f73b8641416c25d03cf5019d07c23d7939a0d4c

Link:

https://www.unpac.me/results/fabda5bb-63df-488f-85d5-64c4c6eb02f7/

SH256 hash:

8c29f1be7dafc7b0b64581e8b28857e988acf33874ce6af6c029c674be60025e

MD5 hash:

bc981a5dee62baa3a846a4e27239ac87

SHA1 hash:

4f251af4e1cb6cd5aba192be20e16d4524083096

Link:

https://www.unpac.me/results/fabda5bb-63df-488f-85d5-64c4c6eb02f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobaltbaltstrike_strike_Payload_XORed Create hunting rule
Author:	Avast Threat Intel Team
Description:	Detects CobaltStrike payloads
Reference:	https://github.com/avast/ioc

Rule name:	HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5 Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in CobaltStrike shellcode
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Rule name:	HKTL_Unlicensed_CobaltStrike_EICAR_Jul18_5_RID361D Create hunting rule
Author:	Florian Roth
Description:	Detects strings found in malware samples in APT report in DarkHydrus
Reference:	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/236077/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample