MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb8acf77891e1897c9dcab222d5a9424e1fd4eb0273e0def4e2872bd870c9901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 15

Intelligence 15 IOCs YARA 20 File information Comments 1

SHA256 hash:	fb8acf77891e1897c9dcab222d5a9424e1fd4eb0273e0def4e2872bd870c9901
SHA3-384 hash:	7e7aaef4b752625275803bd787fd39d6c00cb70a1d6e725993c269adad531f65c653d50610a18917418020bf46b673cd
SHA1 hash:	fce98aa07b88962d4768679b6dcc229e9df42233
MD5 hash:	a1d9d2b9440b1a33370302895edbf43b
humanhash:	speaker-hawaii-bluebird-robert
File name:	a1d9d2b9440b1a33370302895edbf43b
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	284'672 bytes
First seen:	2021-12-29 21:18:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dc25ee78e2ef4d36faa0badf1e7461c9 (118 x CobaltStrike, 5 x Cobalt Strike)
ssdeep	6144:0RM7UyLqQrVmwZWIfByVxH9bhd99q5EKWtOQDxw:0KQEqoVmwlZy/99lNw
Threatray	613 similar samples on MalwareBazaar
TLSH	T1BF54CE3E005539A3DE1BE5FEF3562637FE68B3F25836F01B9666CE80D211091A8581DB
Reporter	zbetcheckin
Tags:	32 CobaltStrike exe

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a1d9d2b9440b1a33370302895edbf43b

Verdict:

No threats detected

Analysis date:

2021-12-29 21:21:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6c7799e1-c094-4a1e-80a9-af5d73a1bee2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CobaltStrike

Link:

https://www.capesandbox.com/analysis/216822/

Detection(s):

Win.Trojan.CobaltStrike-7899872-1

Win.Countermeasure.LoaderWinGeneric-9804845-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

DNS request

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3496/overview

Behaviour

MalwareBazaar

SystemUptime

CallSleep

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug

Link:

https://www.filescan.io/uploads/61ccd0ca8991ba72b39f146e/reports/d7a2d9cf-0590-46e5-8d7a-8f6f6785530e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b493f78-fb73-45a3-a36b-dbe6f0bd50ec

Result

Threat name:

CobaltStrike ReflectiveLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/913924

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: CobaltStrike Named Pipe

Yara detected CobaltStrike

Yara detected ReflectiveLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

cobaltstrike

Link:

https://mwdb.cert.pl/sample/fb8acf77891e1897c9dcab222d5a9424e1fd4eb0273e0def4e2872bd870c9901/

Threat name:

Win32.Backdoor.CobaltStrike

Status:

Malicious

First seen:

2021-12-29 21:19:11 UTC

File Type:

PE (Exe)

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ofm654jdymjpso4vmrc2wuuetq72tvqe47a332ofbzl3bymteaq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

1082724aab36b71b4dc71685776a7c8f5069dd4c269e514eed362af80e1e1450

CobaltStrike

2f8571d423e2af665fecf616c284491982acd4d3ab59a4ceb0790fa713266376

CobaltStrike

4848f4d9f2f20eb729f3cb2b7c80ee92d2fe4df59c847031123d714c3ad650af

CobaltStrike

638dabe5abd0593776c2644a7cf18d363fddfde3f93db92ab094dd2db9e6c69b

CobaltStrike

7c459b8af45fb919074c455f2114376b6c4ed126f75b73c9979ebdcce70538b0

CobaltStrike

925dbf95054df732ae3e22d9549cc9b8f9eee2fd0d05f9cc59091c197b6be637

CobaltStrike

956e66f820c127b655c4e59af455c4cc827d43b111f4cf260b6da1d30ac443b2

CobaltStrike

eb86c3f0afa27791f60270fdb97b4eed295b31735b6fb45c37a6503d0bf3511d

CobaltStrike

+ 603 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor trojan

Link:

https://tria.ge/reports/211229-z57ayadghn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Cobaltstrike

Unpacked files

SH256 hash:

2bb2983390f6bbcd85be26117c2f2d75c6d0fa0a52500b40fcf51b7fc43a9557

MD5 hash:

4dbf13b98f983677e65d4b9b5f9f16f3

SHA1 hash:

58608a335e4f79d4e034434a622cf3df355b0217

Detections:

win_cobalt_strike_auto

Link:

https://www.unpac.me/results/710914d7-7731-4e37-8be3-2e879f9c7044/

SH256 hash:

fb8acf77891e1897c9dcab222d5a9424e1fd4eb0273e0def4e2872bd870c9901

MD5 hash:

a1d9d2b9440b1a33370302895edbf43b

SHA1 hash:

fce98aa07b88962d4768679b6dcc229e9df42233

Link:

https://www.unpac.me/results/710914d7-7731-4e37-8be3-2e879f9c7044/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fb8acf77891e1897c9dcab222d5a9424e1fd4eb0273e0def4e2872bd870c9901

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Beacon_K5om Create hunting rule
Author:	Florian Roth
Description:	Detects Meterpreter Beacon - file K5om.dll
Reference:	https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html

Rule name:	Beacon_K5om_RID2B14 Create hunting rule
Author:	Florian Roth
Description:	Detects Meterpreter Beacon - file K5om.dll
Reference:	https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html

Rule name:	CobaltStrikeBeacon Create hunting rule
Author:	ditekshen, enzo & Elastic
Description:	Cobalt Strike Beacon Payload

Rule name:	CobaltStrike_C2_Encoded_XOR_Config_Indicator Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects CobaltStrike C2 encoded profile configuration

Rule name:	CobaltStrike_ReflectiveLoader_RID3297 Create hunting rule
Author:	Florian Roth
Description:	Detects reflective loader (Cobalt Strike)
Reference:	http://www.clearskysec.com/tulip

Rule name:	CobaltStrike_Unmodifed_Beacon Create hunting rule
Author:	yara@s3c.za.net
Description:	Detects unmodified CobaltStrike beacon DLL

Rule name:	crime_win32_csbeacon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Cobalt Strike loader
Reference:	https://twitter.com/VK_Intel/status/1239632822358474753

Rule name:	CS_beacon Create hunting rule
Author:	Etienne Maynier tek@randhome.io

Rule name:	HKTL_CobaltStrike_Beacon_Strings Create hunting rule
Author:	Elastic
Description:	Identifies strings used in Cobalt Strike Beacon DLL
Reference:	https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Rule name:	HKTL_Meterpreter_inMemory Create hunting rule
Author:	netbiosX, Florian Roth
Description:	Detects Meterpreter in-memory
Reference:	https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Rule name:	HKTL_Win_CobaltStrike Create hunting rule
Author:	threatintel@volexity.com
Description:	The CobaltStrike malware family.
Reference:	https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/

Rule name:	INDICATOR_SUSPICIOUS_ReflectiveLoader Create hunting rule
Author:	ditekSHen
Description:	detects Reflective DLL injection artifacts

Rule name:	Leviathan_CobaltStrike_Sample_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Cobalt Strike sample from Leviathan report
Reference:	https://goo.gl/MZ7dRg

Rule name:	Leviathan_CobaltStrike_Sample_1_RID3324 Create hunting rule
Author:	Florian Roth
Description:	Detects Cobalt Strike sample from Leviathan report
Reference:	https://goo.gl/MZ7dRg

Rule name:	Malware_QA_vqgk Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file vqgk.dll
Reference:	VT Research QA

Rule name:	MALWARE_Win_CobaltStrike Create hunting rule
Author:	ditekSHen
Description:	CobaltStrike payload

Rule name:	PowerShell_Susp_Parameter_Combo Create hunting rule
Author:	Florian Roth
Description:	Detects PowerShell invocation with suspicious parameters
Reference:	https://goo.gl/uAic1X

Rule name:	PowerShell_Susp_Parameter_Combo_RID336F Create hunting rule
Author:	Florian Roth
Description:	Detects PowerShell invocation with suspicious parameters
Reference:	https://goo.gl/uAic1X

Rule name:	ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:	Internal Research

Rule name:	WiltedTulip_ReflectiveLoader Create hunting rule
Author:	Florian Roth
Description:	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:	http://www.clearskysec.com/tulip