MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e
SHA3-384 hash: f64f5810c3ae8847e921c45ec8cd2851d81eeb0a1ffe551d04a2ccd312cd9177cf5ccb65a0df5573fa82132c304c352c
SHA1 hash: 0638b4b285c85709b83148ceeec44948644d6eac
MD5 hash: 1089b93a4a286283523deac740716ebd
humanhash: sierra-pip-ten-paris
File name:1089b93a4a286283523deac740716ebd
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:2'717'493 bytes
First seen:2021-06-28 09:05:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:7849/C3dg0+hMc3i6OO8Xn//9khY5Kxw6Oo/zWKigP4+JjbXhDQy3xa:7S3dg0+3i6OOokOKxw69/iKis4+JjDJI
Threatray 923 similar samples on MalwareBazaar
TLSH AEC52302BEC5A9B1C6320D36091AEB15157CBE508F14CB9FB7D89D1FAA350C0A365EE7
Reporter zbetcheckin
Tags:32 CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
522
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1089b93a4a286283523deac740716ebd
Verdict:
Malicious activity
Analysis date:
2021-06-28 09:07:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbe54c2f-d7ce-4fe9-bfbe-78e5070837a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrike
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168541/
Detection(s):
SecuriteInfo.com.BackDoor.Meterpreter.157.21786.11334.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87787492-7829-40c6-b3cc-3792af9c553c
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808730
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected CobaltStrike
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441141 Sample: 3DV0GRYK97 Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 7 other signatures 2->37 6 3DV0GRYK97.exe 6 2->6         started        process3 file4 15 C:\Windows\...\flashplayerax_install_cn.exe, PE32 6->15 dropped 17 C:\Windows\...\Windows_Defender_SmartScre.exe, PE32+ 6->17 dropped 9 Windows_Defender_SmartScre.exe 6->9         started        13 flashplayerax_install_cn.exe 3 250 6->13         started        process5 dnsIp6 19 www.wuyoo.vip 104.21.68.200, 2083, 49714, 49717 CLOUDFLARENETUS United States 9->19 21 wuyoo.vip 172.67.198.44, 2083, 49711, 49715 CLOUDFLARENETUS United States 9->21 23 192.168.2.1 unknown unknown 9->23 39 Antivirus detection for dropped file 9->39 41 Multi AV Scanner detection for dropped file 9->41 43 Detected unpacking (creates a PE file in dynamic memory) 9->43 45 Contains functionality to detect sleep reduction / modifications 9->45 25 36d6250f.tweb.sched.ovscdns.com 101.33.11.45, 443, 49718 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 13->25 27 36d6250d.tweb.sched.ovscdns.com 101.33.11.48, 443, 49716, 49720 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 13->27 29 5 other IPs or domains 13->29 47 Detected unpacking (changes PE section rights) 13->47 signatures7
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 21:10:36 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwsnrdrp4fwtdgxpn52vbsrdphjfhkkd2rt55xbb47vd32yzieha._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9
CobaltStrike
286ac923f7619b720847b3820652ca94b3b09ee4885e581ced04e8f1395713b9
CobaltStrike
3175976cea0ac6b13312f1922423fca3f3d0bf99848f6b575c1063ed0f0cb8f4
CobaltStrike
79e0a26bc2c9c902744c618ad7af045e5b1ced50f98ca066a33df44218f84702
CobaltStrike
a8f0dbc38f4fa81b8dc71d6a69df4a5a9963ad57de7c491a61044dbe42f586e5
CobaltStrike
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
CobaltStrike
c19402ce537f9c7a2511484cdb5160719340543c11ae17b60ce2e1706173ceaa
CobaltStrike
e94c70d3dc3ab2496465e73bffc7c5f1bc3963f3ae309a88d5e16d5e54a540ce
CobaltStrike
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
CobaltStrike
f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d
CobaltStrike
+ 913 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:1 backdoor trojan
Link:
https://tria.ge/reports/210628-emekqgrdls/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Cobaltstrike
Malware Config
C2 Extraction:
http://wuyoo.vip:2083/fwlink
http://www.wuyoo.vip:2083/ga.js
Unpacked files
SH256 hash:
467f6766c0fe82abc9286b530d7fa455360c8c7f20a7f28461c54873e4e4de21
MD5 hash:
6be622c4fd3a217b3f45dcd0b1897ffe
SHA1 hash:
0d31265517b835028a81eaf4e16dd3b60d4bc874
Link:
https://www.unpac.me/results/9cbccb6e-c33a-4c62-b051-11f2f00a0654/
Parent samples :
e8d6393b63beba6b6cad43f7068f597f9a9c89effba80917412c3f438214ec5c
1eb83f805c41a946b3cf639512ddfe1da13fce7aca90270448f1b03c343befff
c513dde23b6e4d4274696e7598f01f0bc96953ad14556fb7de24c765ab574327
f52ed6bc805585d9e81b15a327af3ecbccc67aac180dff55968b5133035ce74d
b09326eda96f66176f54837d11d485a281dd89f24addc68f2c1e5cfedffe90e3
490c76da1ec8a15a782850b4468cc7ab780ce8cc436d7b490c280588864940cf
363e545ebbeb5eafa15f17986c7e90abebe28774b7b4bb2c1fcb2ff64c9158b8
021cdda10106e4db66873cd411ae3ea1d63ce01a0de1889f658d73c84ea00c8e
68ad2b97e4e2c2e2dedd7b7cbb3a0483c09948513f849bcd22ebeee1f8f40cd3
797c029eb74037b438d4c8eebc774dd45c243e86570d0a2118b168ea7472ca0d
a3ee42d49a63d91f51e144c2372002385da3573c8179ed743eef439904a6cdf4
55d421ed6221bf7cb9cfc4a78c3b7dd8407f19933fd26af3adb4f659bfe81abb
3803477a8eaad24fbd1fb71245a009f371eab35186065534bb14ae5dc41f8e4b
e88a142edb195e0d7e73616f3f5edc8a8ae6fd811c2985ac591c0925122ca8ee
66a517357eb8d9d77f8e4f1e67bcb3d3ad36b95010ae2a47caef8fe9018bcfe6
0916b368912885a4b72e1f309de846041bcbb3b74e478964f11797f0e4ace419
4c5b6f817e37e530c3440d02fcfd808aaef1e15f880fc9cdb43799ecc86bb1e9
d0d9d1a383cd3123e3a740793e4e9dab17701dd26856c3d13bdd84aa9b6f3c44
0504da7e2670ac33821b1d29ab8e430bd262a873fd07dfae680e7816c705cdd2
5783db0ba968957f967255d34b62546fdd3f6e70aa65b2b3fae44228bf6441ca
SH256 hash:
94bf4afd3a77d76311159daa2f19643a7f7d1e2c4b37807651b328feeef34668
MD5 hash:
1115be7832a7fa6005cb06aa20cdbb5c
SHA1 hash:
d0cf4dcc15749f031b4f5631bd603daf3bae1696
Link:
https://www.unpac.me/results/9cbccb6e-c33a-4c62-b051-11f2f00a0654/
SH256 hash:
cfd345f61fe6c93d1da3d37ecc6f992cd15e0c6ba5d78c65801277398aefd787
MD5 hash:
6e9bda5df8460b34099f23c7ab228a8a
SHA1 hash:
b8281f90aab42b7f5d6e83a483eb76d06d23764f
Link:
https://www.unpac.me/results/9cbccb6e-c33a-4c62-b051-11f2f00a0654/
SH256 hash:
a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e
MD5 hash:
1089b93a4a286283523deac740716ebd
SHA1 hash:
0638b4b285c85709b83148ceeec44948644d6eac
Link:
https://www.unpac.me/results/9cbccb6e-c33a-4c62-b051-11f2f00a0654/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:MALWARE_Win_CobaltStrike
Create hunting rule
Author:ditekSHen
Description:CobaltStrike payload
Rule name:MALW_cobaltrike
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect CobaltStrike beacon
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168541/

Comments