MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6c2a34e3a85581ae83b048b0e66efd5bf6afb895b09ee4c38e61a219c549847. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 15

Intelligence 15 IOCs YARA 16 File information Comments

SHA256 hash:	f6c2a34e3a85581ae83b048b0e66efd5bf6afb895b09ee4c38e61a219c549847
SHA3-384 hash:	3cd0092a3d2ec024b0cecd4a8a4e368a4cc615d236487441fe2d9c65cb487fda7edf398c7ebf057ed84e9e138ecb8589
SHA1 hash:	d448e0404422b42ed5d339176acdab82a2e8207e
MD5 hash:	a88ba8cc2624297095ed8fd2e5fd82b3
humanhash:	ceiling-autumn-grey-west
File name:	a88ba8cc2624297095ed8fd2e5fd82b3.exe
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	696'944 bytes
First seen:	2023-07-09 10:26:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	feab990e57f5d1cbc0b20788b5084545 (1 x CobaltStrike)
ssdeep	12288:hNh5vbpurvJl6Sotbq44qoN/QZDtrLpjr1VMvv4JMJMPIAOPBEvvJw:hNzu6SotO44qyQZZrLekKsJw
Threatray	361 similar samples on MalwareBazaar
TLSH	T172E407C03756DCBBF896B03499414410BE6EBEE6F6D286DE12BCA20A4D3779058F8D17
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
dhash icon	74f4e4cceac2c4dc (7 x AgentTesla, 6 x AveMariaRAT, 3 x CobaltStrike)
Reporter	obfusor
Tags:	Cobalt Strike exe signed

Code Signing Certificate

Organisation:	亚洲诚信代码签名测试证书
Issuer:	TrustAsia Code Signing CA
Algorithm:	sha1WithRSAEncryption
Valid from:	2018-01-29T05:39:00Z
Valid to:	2020-01-29T05:39:00Z
Serial number:	0a
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	751f92632d12af8972d20daec5409db521efd93013eca7769f39dd7a7f366b55
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

Vendor Threat Intelligence

Malware family:

cobaltstrike

ID:

File name:

a88ba8cc2624297095ed8fd2e5fd82b3.exe

Verdict:

Malicious activity

Analysis date:

2023-07-09 10:29:33 UTC

Tags:

cobaltstrike trojan

Link:

https://app.any.run/tasks/cff44dfa-e0d6-4a82-994b-cbaeb24d2c47

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/412763/

Detection(s):

SecuriteInfo.com.Adware.Certificate-1753.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending an HTTP GET request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/96680/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cobaltstrike control greyware lolbin obfuscated overlay packed

Link:

https://www.filescan.io/uploads/64aa8b780e49d672f31ec7f0/reports/afe01556-d323-4ad3-8535-4840350f9afe/overview

Verdict:

Malicious

Labled as:

Cobaltstrike.Marte.B.Generic

Link:

https://www.hybrid-analysis.com/sample/f6c2a34e3a85581ae83b048b0e66efd5bf6afb895b09ee4c38e61a219c549847

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/96176d03-2dbc-4a05-af68-2379d1131495

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1270985

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sets debug register (to hijack the execution of another thread)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6c2a34e3a85581ae83b048b0e66efd5bf6afb895b09ee4c38e61a219c549847/

Threat name:

Win64.Hacktool.CobaltStrike

Status:

Malicious

First seen:

2023-06-13 11:16:25 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 38 (52.63%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=63bkgtr2qvmbv2b3asfq4zxp2w7wv64jlme64tby4yncdhcutbdq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

337ba1bd5050c38f5e07f494d4dc0125276b0e0dea09667d86e7d763249c8f30

CobaltStrike

497f6f7e21dd3e9622c7cd9f96bb5359284cd21c24ea3faa99520397b911a08e

CobaltStrike

66f99d00978c99f2b5025ad213732f1543365a5cd55949736fa51552c21d25fa

CobaltStrike

8356f3fd326f41fcfbbc17c9fa1a81abe75aae2831b364bf6f6a100a2bebc5c2

CobaltStrike

cac95c6062dffb3995b56c092bd282c39ba8e4ec44131b8b5a830e134c248db8

CobaltStrike

f092970f8d406e0d01052e36238c3826d8392397802638af877a8d98ee6c9724

CobaltStrike

f5b401be01f2bc168083319bf1d491bc43b06d4022e0c72ed30b80ee5889be9e

CobaltStrike

+ 351 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:100000000 backdoor trojan

Link:

https://tria.ge/reports/230709-mg3xdsdb2s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Cobaltstrike

Malware Config

C2 Extraction:

http://8.134.99.117:8080/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

f6c2a34e3a85581ae83b048b0e66efd5bf6afb895b09ee4c38e61a219c549847

MD5 hash:

a88ba8cc2624297095ed8fd2e5fd82b3

SHA1 hash:

d448e0404422b42ed5d339176acdab82a2e8207e

Detections:

cobaltstrike_xor_config

Link:

https://www.unpac.me/results/1aff69c7-2f09-4cf1-96f9-19a2a45b76e1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f6c2a34e3a85581ae83b048b0e66efd5bf6afb895b09ee4c38e61a219c549847

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	ditekshen, enzo & Elastic
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_C2_Encoded_XOR_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CobaltStrike_MZ_Launcher Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike MZ header ReflectiveLoader launcher

Rule name:	CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 Create hunting rule
Author:	gssincla@google.com
Description:	Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6
Reference:	https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse

Rule name:	CobaltStrike__Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 Create hunting rule
Author:	gssincla@google.com

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	Windows_Trojan_CobaltStrike_1787eef5 Create hunting rule
Author:	Elastic Security
Description:	CS shellcode variants

Rule name:	Windows_Trojan_CobaltStrike_f0b627fc Create hunting rule
Author:	Elastic Security
Description:	Rule for beacon reflective loader

Rule name:	Windows_Trojan_CobaltStrike_f0b627fc Create hunting rule
Description:	Rule for beacon reflective loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/412763/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample