MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae5b18cb1f45bb4409facea15bd5e309af0ebc6c687ccd2d4273f2c7008925e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae5b18cb1f45bb4409facea15bd5e309af0ebc6c687ccd2d4273f2c7008925e4
SHA3-384 hash: 83a84d9a24706cccc859d659a0475b9378e1c86b2a2f6456ed38c2e51b32897e1261e15ba116094d05ce8e62012c3f7a
SHA1 hash: e49a51cceaa9423511be1a110a25934672869485
MD5 hash: bc055968569f6edba24a9fe62f51a8ad
humanhash: march-wisconsin-maryland-four
File name:e7539a18-c698-43ce-83b5-66cd25b49d1a
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:262'656 bytes
First seen:2021-06-18 06:44:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aa81c1b260a0efe3cd2c26c7046b78ed (2 x CobaltStrike)
ssdeep 3072:qc0nsHpyvGj346lbkBN/gppj8aJGIhxjT3A8ygbLAZmitdGlGOy9tQYJ1b/S1P3H:qc0bPzIpt8ahTw8PHA8itQsOIQv1uE
Threatray 200 similar samples on MalwareBazaar
TLSH 2B445A4572A07CF5ECA7D23AC657461BEFF27C224630D75F03641A6A4F273A1A22E721
Reporter pmsandstad
Tags:CobaltStrike CobaltStrike_Beacon exe


Avatar
pmsandstad
1768.py decoded the config:
File: bc055968569f6edba24a9fe62f51a8ad
payloadType: 0x00007530
payloadSize: 0x00000001
intxorkey: 0x00000001
id2: 0x000000ff
Config found: xorkey b'.' 0x0003aa30 0x00040200
0x0001 payload type 0x0001 0x0002 0 windows-beacon_http-reverse_http
0x0002 port 0x0001 0x0002 80
0x0003 sleeptime 0x0002 0x0004 5000
0x0004 maxgetsize 0x0002 0x0004 1048576
0x0005 jitter 0x0001 0x0002 0
0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d003081890281810086310c1deea54f3fab2193e4d8d31789e849f2e44b547ab561eff8f3d2f8fbb927a3ea4328b6afb1565f98737bf3edadd282e6ee2708085f466051773169b441e637877c713c9c638e214d47a2260f22ae43041b958e6cbbddd06c37d4ff795a8b1d591d7817779aa80dbc8323306cf3ee1204c5811d133f0094d0b007473373020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri 0x0003 0x0100 '180.101.217.175,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,27.221.28.182,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,123.125.46.41,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
0x0043 0x0001 0x0002 0
0x0044 0x0002 0x0004 4294967295
0x0045 0x0002 0x0004 4294967295
0x0046 0x0002 0x0004 4294967295
0x000e SpawnTo 0x0003 0x0010 (NULL ...)
0x001d spawnto_x86 0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
0x001e spawnto_x64 0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
0x001f CryptoScheme 0x0001 0x0002 0
0x001a get-verb 0x0003 0x0010 'GET'
0x001b post-verb 0x0003 0x0010 'POST'
0x001c HttpPostChunk 0x0002 0x0004 0
0x0025 license-id 0x0002 0x0004 426352781
0x0026 bStageCleanup 0x0001 0x0002 0
0x0027 bCFGCaution 0x0001 0x0002 0
0x0009 useragent 0x0003 0x0100 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
0x000a post-uri 0x0003 0x0040 '/N4215/adj/amzn.us.sr.aps'
0x000b Malleable_C2_Instructions 0x0003 0x0100 '\x00\x00\x00\x04'
0x000c http_get_header 0x0003 0x0200
b'Accept: */*'
b'Host: sougou.com'
b'session-token='
b'skin=noskin;'
b',csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
b'Cookie'
0x000d http_post_header 0x0003 0x0200
b'Accept: */*'
b'Content-Type: text/xml'
b' X-Requested-With: XMLHttpRequest'
b'Host: sougou.com'
b'\t'
b'sz=160x600'
b'\t'
b'oe=oe=ISO-8859-1;'
b'sn'
b'\t'
b's=3717'
b'\t'
b'dc_ref=http%3A%2F%2Fsougou.com'
0x0036 HostHeader 0x0003 0x0080 'Host: tencentcs.com\r\n'
0x0032 UsesCookies 0x0001 0x0002 1
0x0023 proxy_type 0x0001 0x0002 2 IE settings
0x003a 0x0003 0x0080 '\x00\x04'
0x0039 0x0003 0x0080 '\x00\x04'
0x0037 0x0001 0x0002 0
0x0028 killdate 0x0002 0x0004 0
0x0029 textSectionEnd 0x0002 0x0004 0
0x002b process-inject-start-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002c process-inject-use-rwx 0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002d process-inject-min_alloc 0x0002 0x0004 0
0x002e process-inject-transform-x86 0x0003 0x0100 (NULL ...)
0x002f process-inject-transform-x64 0x0003 0x0100 (NULL ...)
0x0035 process-inject-stub 0x0003 0x0010 '¤\x9fTEð\x1a\x9f2@î©änæl\x81'
0x0033 process-inject-execute 0x0003 0x0080 '\x01\x02\x03\x04'
0x0034 process-inject-allocation-method 0x0001 0x0002 0
0x0000

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e7539a18-c698-43ce-83b5-66cd25b49d1a
Verdict:
No threats detected
Analysis date:
2021-06-18 06:50:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/26f85c9e-408c-48f7-b61d-312ec1903b26

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166748/
Detection(s):
Win.Tool.Mikey-9840271-0
Create hunting rule

Win.Tool.Mikey-9840272-0
Create hunting rule

Win.Trojan.Cobaltstrike-9840274-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db4f31e4-5ee2-4ad1-ad43-6ed8fd0d7a58
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/804164
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436572 Sample: e7539a18-c698-43ce-83b5-66c... Startdate: 18/06/2021 Architecture: WINDOWS Score: 92 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 4 other signatures 2->34 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        signatures5 36 Contains functionality to detect sleep reduction / modifications 10->36 17 WerFault.exe 20 9 10->17         started        19 rundll32.exe 13->19         started        21 WerFault.exe 9 15->21         started        process6 process7 23 WerFault.exe 9 19->23         started        dnsIp8 26 192.168.2.1 unknown unknown 23->26
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae5b18cb1f45bb4409facea15bd5e309af0ebc6c687ccd2d4273f2c7008925e4/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 16:23:00 UTC
File Type:
PE+ (Dll)
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vznrrsy7iw5uicp2z2qvxvpdbgxq5pdmnb6m2lkcopzmoaejexsa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
047402ec1c36b09a5bbdf8cac3fd8f46cc1ea4c51a67f1bc347c2f4e4369cd6e
CobaltStrike
3a226a3d31e8ba855fbc78efb76f820306f4f60e979333b241c7dadd70a5740d
CobaltStrike
a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919
CobaltStrike
ca4b4b00239f166e04f394e397ce99d74129ca1917b8f95a92b8c722c9991832
CobaltStrike
d67758e9af27afd184165266c7aad94b9dd9c78d6266849c731f2a3b2cd40c09
CobaltStrike
d9330b86534b1b2285f6b39745490fdeafcca69d975302f06edb0e3ce1c744e7
CobaltStrike
dddf1d1b2b58721f04fe1eb77804d02fb5fc14deca7d8b4f6a9ce3c55644090e
CobaltStrike
df953c14e606e73ee478340153acb90999e8ba3546a01088546fd92bff03eedc
CobaltStrike
e625da9aa862eef338511a40f5e1ea8b05b4782dcd57a695a1c23538cd461424
CobaltStrike
ea3dcb24ae132149252ad1aba54c92317be45c3791f14007e94c1a7c509b3965
CobaltStrike
+ 190 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:426352781
Link:
https://tria.ge/reports/210618-8pxagb819s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://180.101.217.175:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://27.221.28.182:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://123.125.46.41:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Unpacked files
SH256 hash:
ae5b18cb1f45bb4409facea15bd5e309af0ebc6c687ccd2d4273f2c7008925e4
MD5 hash:
bc055968569f6edba24a9fe62f51a8ad
SHA1 hash:
e49a51cceaa9423511be1a110a25934672869485
Detections:
win_cobalt_strike_auto
Create hunting rule
Link:
https://www.unpac.me/results/a3254220-7ff0-4dcb-96a1-aa8d5ffa5487/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae5b18cb1f45bb4409facea15bd5e309af0ebc6c687ccd2d4273f2c7008925e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:MALW_cobaltrike
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect CobaltStrike beacon
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/search/ae5b18cb1f45bb4409facea15bd5e309af0ebc6c687ccd2d4273f2c7008925e4
Cape
Cape
https://www.capesandbox.com/analysis/166748/

Comments