MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 17

Intelligence 17 IOCs YARA 8 File information Comments

SHA256 hash:	dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b
SHA3-384 hash:	c0bfae4651bfbace8a6d0cf61c57c00bec8d087f68b62daf87fe2f1f9a46ddc57cffc7ffe23405d3cbe9dd60a76a3a41
SHA1 hash:	057bfc5248277e653515eca5d13e87c66c8506a2
MD5 hash:	afa086d371f3af4df2e32707efcb252f
humanhash:	ohio-lion-fifteen-edward
File name:	dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	144'384 bytes
First seen:	2025-01-16 12:58:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	17b461a082950fc6332228572138b80c (121 x CobaltStrike, 2 x Cobalt Strike)
ssdeep	3072:SvIVVajNgK1dAiNgK1dAmBN/KESl+LEBN/KESl+L:SIaSK1sK11BN/5SgYBN/5Sg
TLSH	T134E3BFD2F7A0541FC429833181F68E309FB2BF01F52A2FD62BD5B61F9C3B5944592A26
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	60060f3f3f3f3f00 (2 x Sality, 1 x OrcusRAT, 1 x CobaltStrike)
Reporter	JAMESWT_WT
Tags:	103-116-245-79 CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

466

Origin country :

Vendor Threat Intelligence

Malware family:

cobaltstrike

ID:

File name:

dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b

Verdict:

Malicious activity

Analysis date:

2025-01-16 13:13:14 UTC

Tags:

cobaltstrike

Link:

https://app.any.run/tasks/f4334340-0029-4028-bbc1-31c6e71103c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.CobaltStrike-9044898-1

Win.Trojan.CobaltStrike-7899871-1

Win.Countermeasure.LoaderWinGeneric-9804845-2

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6789029e4487910100df9634

Tags:

cobaltstrike cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug cobalt cobaltstrike config-extracted mingw packed packed packer_detected shelma windows

Link:

https://www.filescan.io/uploads/678902c7da9e4ac53391e509/reports/38d261f2-acf5-419b-be59-45952f61e9cb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/819e6df4-0e63-4ba8-94a6-29d1940ced3d

Result

Threat name:

CobaltStrike, Metasploit

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1592758

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found API chain indicative of debugger detection

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Yara detected CobaltStrike

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b/

Threat name:

Win64.Backdoor.Cobeacon

Status:

Malicious

First seen:

2024-04-29 12:48:00 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

32 of 38 (84.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3ukx7rfrei2hmc2adxovwcnpbrhy3rprmzpniwj4soansf6ihavq._file

Verdict:

malicious

Label(s):

metasploit

cobaltstrike

Similar samples:

error

CobaltStrike

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike backdoor trojan

Link:

https://tria.ge/reports/250116-p724wssldr/

Behaviour

Cobaltstrike

Cobaltstrike family

Malware Config

C2 Extraction:

http://103.116.245.79:808/VoRF

Verdict:

Malicious

Tags:

red_team_tool cobalt_strike Win.Trojan.CobaltStrike-9044898-1

YARA:

CobaltStrike_Resources_Artifact64_v3_14_to_v4_x win_cobaltstrike_pipe_strings_nov_2023 Windows_Trojan_CobaltStrike_7f8da98a HKTL_Imphashes_Aug22_1

Link:

https://app.threat.zone/submission/e5e0ce0d-546b-42bb-981c-107e5ef934e9

Unpacked files

SH256 hash:

dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b

MD5 hash:

afa086d371f3af4df2e32707efcb252f

SHA1 hash:

057bfc5248277e653515eca5d13e87c66c8506a2

Link:

https://www.unpac.me/results/b79fd2a7-208d-4ddc-9fd3-229a7431f6ef/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd157fc4b12234760b401ddd5b09af0c4f8dc5f1665ed4593c9380d917c8382b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrike_Resources_Artifact64_v3_14_to_v4_x Create hunting rule
Author:	gssincla@google.com
Description:	Cobalt Strike's resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x
Reference:	https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse

Rule name:	CobaltStrike__Resources_Artifact64_v3_14_to_v4_x Create hunting rule
Author:	gssincla@google.com

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HKTL_Imphashes_Aug22_1 Create hunting rule
Author:	Florian Roth
Description:	Detects different hacktools based on their imphash
Reference:	Internal Research

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Trojan_CobaltStrike_7f8da98a Create hunting rule
Author:	Elastic Security

Rule name:	win_cobaltstrike_pipe_strings_nov_2023 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects default strings related to cobalt strike named pipes

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample