MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb18432353e218676537e6fca6ab87c1ec57e356933eb8b6a4e012d1d6aaba63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb18432353e218676537e6fca6ab87c1ec57e356933eb8b6a4e012d1d6aaba63
SHA3-384 hash: 33a750abdbc0bb909621e422eb9e0c87dcf41d202f25cb2b1416423cf1d3d785b3bbebe56e93b9b9f387b8156527eb49
SHA1 hash: 1786a744cc2c04c085bd0ddee3981d0d8d2f9e63
MD5 hash: 4da9eff3a95a5a313218c1a0a4055647
humanhash: louisiana-alaska-pasta-carpet
File name:4da9eff3a95a5a313218c1a0a4055647.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:47'104 bytes
First seen:2021-06-20 07:30:48 UTC
Last seen:2021-06-20 08:48:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6355eedadf57c4a4eacc2aa5084a60c6 (1 x CobaltStrike)
ssdeep 768:LCmaxqSsdl96nFQlr192Lq4KPgfqzwAvwUnj4:2mJS29uFQlr/2LpKeAvwu4
Threatray 616 similar samples on MalwareBazaar
TLSH 5C23750197AAAE92D2D178F98097B7ED47766B1D0D3B80FCCE867C48E83A94348395D0
Reporter abuse_ch
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
579
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4da9eff3a95a5a313218c1a0a4055647.exe
Verdict:
Malicious activity
Analysis date:
2021-06-20 07:31:57 UTC
Tags:
trojan meterpreter
Link:
https://app.any.run/tasks/5c3eaf29-d0c1-4884-b380-d3ce8412cec9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167147/
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.43.2649.1429.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/01695f68-4f8c-47df-beab-7afbae17babf
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804865
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437276 Sample: Lo0XASbs86.exe Startdate: 20/06/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 6 other signatures 2->52 10 Lo0XASbs86.exe 12 2->10         started        process3 dnsIp4 38 103.234.72.237, 10920, 49688, 49693 HIITL-AS-APHongKongFireLineNetworkLTDHK Hong Kong 10->38 13 cmd.exe 3 10->13         started        process5 file6 34 C:\Users\user\AppData\Local\...\explorer.exe, PE32 13->34 dropped 36 C:\Users\...\explorer.exe:Zone.Identifier, ASCII 13->36 dropped 54 Drops PE files with benign system names 13->54 17 explorer.exe 12 13->17         started        20 cmd.exe 1 13->20         started        22 conhost.exe 13->22         started        signatures7 process8 signatures9 40 System process connects to network (likely due to code injection or exploit) 17->40 42 Multi AV Scanner detection for dropped file 17->42 44 Machine Learning detection for dropped file 17->44 24 cmd.exe 1 17->24         started        26 tasklist.exe 1 20->26         started        process10 process11 28 cmd.exe 1 24->28         started        30 conhost.exe 24->30         started        process12 32 tasklist.exe 1 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb18432353e218676537e6fca6ab87c1ec57e356933eb8b6a4e012d1d6aaba63/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-06-12 03:38:00 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmmegi2t4imgozjx436knk4hyhwfpy2wsm7lrnve4ajndvvkxjrq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
CobaltStrike
4081406d27f30f1dd68fca09d23aa9db54af4ea4fccfa3c486c5aa31ff772054
CobaltStrike
5acc9c9e85346700cd3515b7b0985f2467ad199054cdbd051c7d0af0c3de5f53
CobaltStrike
63cbb3daa3fbb2b799f43c4a7dda4515e65d6a1c56a3009f69d1d1f783e66847
CobaltStrike
8668a50a557e2b402d105cd44953bcb7f2a854b34ed6fa89daabe706f809ce32
CobaltStrike
96c441a2676616cbc2869de5adf4215bdad4603d970f956cc3de927301599257
CobaltStrike
a68210378135bd42e9a1a8e854fb0cab06f58ffcab9a8583f0654fe9807c5555
CobaltStrike
b97b606aef81420a441aba88b42c44aa8e102390434be5714d33bb07645912d2
CobaltStrike
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
CobaltStrike
e99107f51a615207824a28411b0355fba67cbda8dbd24d450a84cbe40aa8faf5
CobaltStrike
+ 606 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:305419896 backdoor trojan
Link:
https://tria.ge/reports/210620-p3gn5ta59n/
Behaviour
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Cobaltstrike
Malware Config
C2 Extraction:
http://103.234.72.237:10920/weixin/
Unpacked files
SH256 hash:
cb18432353e218676537e6fca6ab87c1ec57e356933eb8b6a4e012d1d6aaba63
MD5 hash:
4da9eff3a95a5a313218c1a0a4055647
SHA1 hash:
1786a744cc2c04c085bd0ddee3981d0d8d2f9e63
Link:
https://www.unpac.me/results/ebd4202f-bb51-4115-a5e0-18a706c39b0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb18432353e218676537e6fca6ab87c1ec57e356933eb8b6a4e012d1d6aaba63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167147/

Comments