MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dea90487e1a93c90ce29e2dc59cb50f136483c9207730c8affb1399a2444720b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dea90487e1a93c90ce29e2dc59cb50f136483c9207730c8affb1399a2444720b
SHA3-384 hash: a83ef724c1298ccfa2c6557d55427a059168c5ee17a47b994112a6888458170c5eb7db11e6a20350f7699502c1661ffd
SHA1 hash: f0a56566936ef2f2ea5f99ecc62a0d7bf21cd643
MD5 hash: 19a7b80bed6732587c2446d16fd00fa3
humanhash: bacon-vegan-carpet-white
File name:dea90487e1a93c90ce29e2dc59cb50f136483c9207730c8affb1399a2444720b
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:224'768 bytes
First seen:2020-11-10 11:19:38 UTC
Last seen:2024-07-24 22:12:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 829da329ce140d873b4a8bde2cbfaa7e (259 x CobaltStrike)
ssdeep 6144:Zya3BiANCLD3jN+wyUMA+z4V/TwaXKr0R:F3qBvHMA+0V/Twr0R
Threatray 179 similar samples on MalwareBazaar
TLSH AF24D0F1AEF27F76F06511FEC89DA1A48E2295270AE24C01E1F9BCF2B746AB45430175
Reporter seifreed
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/529683
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dea90487e1a93c90ce29e2dc59cb50f136483c9207730c8affb1399a2444720b/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 11:23:11 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32uqjb7bve6jbtrj4lofts2q6e3eqpesa5zqzcx7we4zujceoifq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
06ca809421d2bb32e8a5e1e2fd7531330e903544898017cc0b8f297a290a6a3a
CobaltStrike
3eeac52f9036116d189ca4aa82022efc7a764abe9d559129e6b3720cff203fd9
CobaltStrike
43bb1caa3132a11a1ada5b96f58868740acf3aeaf35287655ef22bc27ee31532
CobaltStrike
4d8232c8973ec2c528be5f380b9f027a7221023e2b2e774403a8839385b2e197
CobaltStrike
65b353273d5aa143b6ad5fc5ee4af51930ccef9ea96d07345a619f8950d1132d
CobaltStrike
70e96ab0deb629da68b0af277376f4598c1062064beecedf3ee8d72de0a9b1a1
CobaltStrike
86cd8e972618cd76afaf86c1315be7324588f957c2111f603326d086b17698e5
CobaltStrike
e05f6dab54210a041235191663afd7f296c4733e42d9f09b971a9861bf317df8
CobaltStrike
ec80dafae2b435962d141d4137ba9e9b84d36c5933828c490d113a88b9c4d2a5
CobaltStrike
fc4c45524b459ee65fff5e9bc484cb1209cf89cff5e9e5a534d439533a95ceed
CobaltStrike
+ 169 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201110-g1fm7fa1f6/
Unpacked files
SH256 hash:
105d7451d740894185d89eafd8af3de28d3800682f18a8d9a37d945e7eee68cf
MD5 hash:
c07a7c39cbc3e07b18265610aab422b1
SHA1 hash:
718f8f921181b9ecbe577a0666da240dbbbb8b95
Link:
https://www.unpac.me/results/8bebde27-8f2f-4ac7-9d70-72c28dc0aac0/
SH256 hash:
5f457c8d20276f4e18b0c67ff313b0b74fdde165c37cd5dd3a53aa24977c42e2
MD5 hash:
6cbaec884abf94c1cb69024c8c8690c8
SHA1 hash:
637da7eb2155fb307bdab7c842c71ebae70969fd
Link:
https://www.unpac.me/results/8bebde27-8f2f-4ac7-9d70-72c28dc0aac0/
SH256 hash:
dea90487e1a93c90ce29e2dc59cb50f136483c9207730c8affb1399a2444720b
MD5 hash:
19a7b80bed6732587c2446d16fd00fa3
SHA1 hash:
f0a56566936ef2f2ea5f99ecc62a0d7bf21cd643
Link:
https://www.unpac.me/results/8bebde27-8f2f-4ac7-9d70-72c28dc0aac0/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DarkHydrus_Jul18_5
Create hunting rule
Author:Florian Roth
Description:Detects strings found in malware samples in APT report in DarkHydrus
Reference:https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:detects Reflective DLL injection artifacts
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments