MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c48a7b74589b5f230855794ce757df2aa87294e984ee0fae8b45ad6a8e03a613. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cobalt Strike


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c48a7b74589b5f230855794ce757df2aa87294e984ee0fae8b45ad6a8e03a613
SHA3-384 hash: b7c2c67a76fef3bc5357548c410a8186dbec33f15432c23201fce79cb3367e5e9cd66b20dab42a02c923c58223e70ca5
SHA1 hash: 6b328730375b7ae85fff0b98f90b0665565e7dde
MD5 hash: 83a4aea64ba8e45f49f66c85306d3e32
humanhash: zebra-crazy-juliet-delaware
File name:EXPLORER.EXE
Download: download sample
Signature Cobalt Strike
Create hunting rule
File size:403'968 bytes
First seen:2024-12-01 10:57:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f991284e1b37cbeff70da64d25d4fdb6 (1 x Cobalt Strike)
ssdeep 6144:I6kpqUXv1EMDfTrOBs2n0cVsqwgW7SNk7p/nyIIUhcJTB51JJsxl:zLUXvqMKBsxJ8k7MIIycJTBHJJsx
Threatray 187 similar samples on MalwareBazaar
TLSH T1CE84E0727A689D8ED8E04B3C0132F738C8E29EF5ADB792367C5574613A39EC23511D26
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon e08c96374d37b2cc (1 x Cobalt Strike)
Reporter kafan_shengui
Tags:Cobalt Strike CobaltStrike domain fronting exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
US US
Vendor Threat Intelligence
Malware family:
cobaltstrike
Create hunting rule
ID:
1
File name:
EXPLORER.EXE
Verdict:
Malicious activity
Analysis date:
2024-12-01 11:01:04 UTC
Tags:
cobaltstrike upx
Link:
https://app.any.run/tasks/f879052c-72a2-43f7-895c-7fdbcbd03752

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.17113.6083.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674c42b904c232bff3b5769a
Tags:
ransomware virus spawn
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug explorer lolbin packed packed packed packer_detected upx
Link:
https://www.filescan.io/uploads/674c413b1bafd1e4c9be755a/reports/eb17698d-c4fd-4d50-ba77-8701760c8a68/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c48a7b74589b5f230855794ce757df2aa87294e984ee0fae8b45ad6a8e03a613
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a0e74f2e-3360-4e94-a13a-a93d63b6f50c
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1566113
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c48a7b74589b5f230855794ce757df2aa87294e984ee0fae8b45ad6a8e03a613
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c48a7b74589b5f230855794ce757df2aa87294e984ee0fae8b45ad6a8e03a613/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2024-12-01 10:58:05 UTC
File Type:
PE+ (Exe)
Extracted files:
53
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ysfhw5cytnpsgccvpfgoov67fkuhffhjqtxa7luliwwwvdqduyjq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0b1f6297e8bfa8fc9ff8a7ad85487ff456c0d66ef2d908588cd27345fba5f4e6
Cobalt Strike
24cf5566094b9c99b75303995b503b3285531d1313658f318a931424c9ef46d3
Cobalt Strike
359f9ca568b7525fa41e8ce63450ef4fe1f5c4ba5a334d1473ef93867b21f8a5
Cobalt Strike
4c0003c3a45e94129cd5b6771200feebc7c4f53f0d5b110276d8dc7ae29c9e8c
Cobalt Strike
5d48f8503446780ca198fb5a5c7ccebc7a8ca729f9a0cad78a2fc5f381500d13
Cobalt Strike
5ebde45359ac0a29318bbf1532367806a6219fae9a1508272862ecca77df2312
Cobalt Strike
65ccbd63fbe96ea8830396c575926af476c06352bb88f9c22f90de7bb85366a3
Cobalt Strike
ee08608492383853c0cf59e355f9721f413d83f18d3e4a2c344f5b90407caf4a
Cobalt Strike
error
Cobalt Strike
+ 177 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/241201-m2tjfstrbn/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1d6e4893-bacc-46f4-b02e-0b113293a9c3
Unpacked files
SH256 hash:
c48a7b74589b5f230855794ce757df2aa87294e984ee0fae8b45ad6a8e03a613
MD5 hash:
83a4aea64ba8e45f49f66c85306d3e32
SHA1 hash:
6b328730375b7ae85fff0b98f90b0665565e7dde
Link:
https://www.unpac.me/results/f246e366-447c-4c49-ac4a-8a00e74da1a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c48a7b74589b5f230855794ce757df2aa87294e984ee0fae8b45ad6a8e03a613

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments