MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2d546749333d57f7370f528e63ab3b688f72b2b33fb33bdbcab494efc766bd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2d546749333d57f7370f528e63ab3b688f72b2b33fb33bdbcab494efc766bd1
SHA3-384 hash: 55a7b6182cf0c5d855d119bbf3c550256f44688670e739aae1fec7283aa86867fd42f16bf4a37f3aac9fe7e4211ccbc3
SHA1 hash: cce9113d8a8b515bfb7d83acf7b1996994144a33
MD5 hash: 459b0bdd45947e5861ce2d876c3c4033
humanhash: freddie-april-echo-cardinal
File name:update.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:431'104 bytes
First seen:2022-08-03 07:31:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e90de0c769aaf7f6d42e62efc3778812 (2 x CobaltStrike)
ssdeep 6144:r5nJbgFuOg/WOWu38XMamM+/FnFnFnFnFnFnFnFnFnFnFnFnFnFnFnFnFnFnFnFn:5VO/OWqE3l5zrCZBUeBI8l
Threatray 8 similar samples on MalwareBazaar
TLSH T1E1947B1401268397DAB51DF307D572CE8C1320DEB8B4CD272766DA6E47B23A7E91A23D
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.5% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JAMESWT_WT
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
733
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
update.exe
Verdict:
No threats detected
Analysis date:
2022-08-03 08:10:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0db1d29b-4043-4586-afff-1aa378d3fe29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296096/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.8844.9470.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a file in the Program Files subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug explorer.exe packed
Link:
https://www.filescan.io/uploads/62ea24bc5c07b66577f18f0c/reports/4a69d575-9f21-4e0e-907a-21db02084ab1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
stunnel4
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/44c69297-9489-4c6a-8f6f-97b84b9ae21a
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1045445
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2d546749333d57f7370f528e63ab3b688f72b2b33fb33bdbcab494efc766bd1/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-08-03 07:32:08 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ulkum5etgpkx643q6uuomovtw2epokzlgp5thpn4vneu57dwnpiq._file
Verdict:
unknown
Similar samples:
481e9d59d029095c851ede4f139336a70b5b57f8e7b323a5b7c3609021cd54c2
CobaltStrike
68081a431396a2876a1f57b55ebfc2bfb762abcc4feb5d29e9b0415ef415d10e
CobaltStrike
79af3ed8a0c8344fb0bd82dd41e2cc753cf2f9c8825f333348ca2bebf1ede032
CobaltStrike
7d44007cdcfe063f3c1d38e29764e1b14ab2bbcea4cd90db04bdc8fa0c86b9aa
CobaltStrike
87dca59ec3d55bcb1b05da564e5ce0a164ab633f1c46a18a97f72a30efff7388
CobaltStrike
bdc7619588ad4a12c7711965b8c80991621646bb86d1ef8a8c19050c9082d45c
CobaltStrike
e65e6051980701ae9bcd600fd08c7be44f8f299c8ad68d8cbddf704f9757c870
CobaltStrike
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220803-jcykbshfbm/
Unpacked files
SH256 hash:
a2d546749333d57f7370f528e63ab3b688f72b2b33fb33bdbcab494efc766bd1
MD5 hash:
459b0bdd45947e5861ce2d876c3c4033
SHA1 hash:
cce9113d8a8b515bfb7d83acf7b1996994144a33
Link:
https://www.unpac.me/results/1758d47e-7394-40b6-9b70-0df2e64e3501/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/a2d546749333d57f7370f528e63ab3b688f72b2b33fb33bdbcab494efc766bd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:ditekshen, enzo & Elastic
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_C2_Encoded_XOR_Config_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike C2 encoded profile configuration
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:malware_CobaltStrike_v3v4
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect CobaltStrike Beacon in memory
Reference:https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe a2d546749333d57f7370f528e63ab3b688f72b2b33fb33bdbcab494efc766bd1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/296096/
  
URLhaus
https://urlhaus.abuse.ch/url/2264298/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2264306/

Comments