MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad4aa474affa78e820e731061ed7614feba095422465f0ca4c05a1f3506beb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	fad4aa474affa78e820e731061ed7614feba095422465f0ca4c05a1f3506beb8
SHA3-384 hash:	d0ac51d115c53036190f30dd290869addd98e9be967ad64299cd58d3f5962328917a59c80a2d655b6e5a0e067e23ce33
SHA1 hash:	a2d80534c25d2aad63e890d51b8fd4674311586f
MD5 hash:	254a83dec82335daf2ca5eea7ea3fa9a
humanhash:	hotel-alabama-cup-berlin
File name:	254a83dec82335daf2ca5eea7ea3fa9a
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	14'336 bytes
First seen:	2021-06-24 07:06:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dc25ee78e2ef4d36faa0badf1e7461c9 (118 x CobaltStrike, 5 x Cobalt Strike)
ssdeep	192:AVH+DgGK83SxHn2OQ/dmBI4KBfTgir+xzle4BoFP4VMqbqUqV/Qjo7AGa:At+kGKqbOCdWIVBff+xz44Be4LfCXAn
Threatray	298 similar samples on MalwareBazaar
TLSH	21522975EA0378F2FD1A897054EBB6FFAE73E1238C105CD5CFA4DC0158274A6880664D
Reporter	zbetcheckin
Tags:	32 CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

482

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

254a83dec82335daf2ca5eea7ea3fa9a

Verdict:

Malicious activity

Analysis date:

2021-06-24 07:10:57 UTC

Tags:

trojan meterpreter

Link:

https://app.any.run/tasks/7b3b4148-561e-41ae-8324-94f669f60967

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrikeBeacon

Link:

https://www.capesandbox.com/analysis/167872/

Detection(s):

Win.Trojan.CobaltStrike-7899872-1

Win.Countermeasure.LoaderWinGeneric-9804845-2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CobaltStrike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c17858d-5fc6-4cb0-a872-c43142c57135

Result

Threat name:

Metasploit

Detection:

malicious

Classification:

troj

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/807214

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/fad4aa474affa78e820e731061ed7614feba095422465f0ca4c05a1f3506beb8/

Threat name:

Win32.Trojan.CobaltStrike

Status:

Malicious

First seen:

2021-06-17 17:47:00 UTC

AV detection:

40 of 46 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7lkkur2k76ty5aqoomigd3lwct7luckuejdf6dfeybnb6nigx24a._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

0b88dd821cf352dd46cd57c0a5cc4542fead6bf4afe82ff1a52939be744df0ad

CobaltStrike

0e30a27d44484b9baa56e7b6050581e3edc3bd1b426057c85824d0cac493a3f1

CobaltStrike

2d797a098d2c0e164f5bfe29e3ae282f873709270f05950a3dc76d65f1acf47c

CobaltStrike

2f8571d423e2af665fecf616c284491982acd4d3ab59a4ceb0790fa713266376

CobaltStrike

53c9abf3e3d86b1d9d633aff273a70f11e83858d3fdb362108395f170bcdebc4

CobaltStrike

8af8a2aa6d8db7a9bf93620814017b5296713963b74aba38eb7a35e62dcb7d3e

CobaltStrike

8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081

CobaltStrike

a2bcce439cb511eca635e14943b916e86a121c7062ac978437d2d080a54fff26

CobaltStrike

f4ca63aeb4e3246c5d923942497d650bc3920c9fbc78a330ecf9d7db67e0cb8f

CobaltStrike

+ 288 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:cobaltstrike family:metasploit backdoor trojan

Link:

https://tria.ge/reports/210624-f53vptj97n/

Behaviour

Cobaltstrike

MetaSploit

Malware Config

C2 Extraction:

http://34.238.192.43:443/ajax/jquery.ui/1.12.1/jquery-ui.min.js

Unpacked files

SH256 hash:

fad4aa474affa78e820e731061ed7614feba095422465f0ca4c05a1f3506beb8

MD5 hash:

254a83dec82335daf2ca5eea7ea3fa9a

SHA1 hash:

a2d80534c25d2aad63e890d51b8fd4674311586f

Link:

https://www.unpac.me/results/6163ca60-2c53-411a-9257-f84e21e7fb7c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fad4aa474affa78e820e731061ed7614feba095422465f0ca4c05a1f3506beb8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	enzo
Description:	Cobalt Strike Beacon Payload

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	Trojan_Raw_Generic_4 Create hunting rule
Author:	FireEye
Reference:	https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html