YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 393596fe020d2d0de1549bedbb47c6822c19c74e4702e75490bec3188f6ae019.

Scan Results

SHA256 hash: 393596fe020d2d0de1549bedbb47c6822c19c74e4702e75490bec3188f6ae019
File size:266'240 bytes
File download: Original
MIME type:application/x-dosexec
MD5 hash: 5ca0d550cbdc898188a9dc8e90a4f0ef
SHA1 hash: 7d7bf093ba3392caafe6f27943709ebe3f811e12
SHA3-384 hash: a82b02ae3691dd4922b4e1c06e129d8ad6aadcd8134ec0fb29c111fa8eaaf02123d381d26b1055214713ad4af361e09c
First seen:2025-01-28 16:33:27 UTC
Last seen:Never
Sightings:1
imphash : e060daefaf7ff6c7401014aa587bc143
Create hunting rule
ssdeep : 6144:uJqVG5d1IpMyibgkTZI6jHID90a5BX5H/:u3d6tevoxpBXV
TLSH :n/a
telfhash :n/a
gimphash :n/a
dhash icon :n/a

Tasks

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:9a53ca4a-dd95-11ef-a38e-42010aa4000b
File name:2a30000.dll
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:Win.Tool.CobaltStrike-6336852-0
Create hunting rule
Signature:Win.Trojan.Cobaltstrike-10011492-0
Create hunting rule
Signature:Win.Trojan.CobaltStrike-8091534-0
Create hunting rule
Signature:Win.Trojan.Cobaltstrike-9955743-0
Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:Beacon_K5om_RID2B14
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
TLP:TLP:WHITE
Rule name:cobalt_strike_beacon_decrypted
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike decrypted beacons.
TLP:TLP:WHITE
Repository:YARAify
Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
TLP:TLP:WHITE
Repository:YARAify
Rule name:Cobaltbaltstrike_Beacon_x64
Create hunting rule
Author:Avast Threat Intel Team
Description:Detects CobaltStrike payloads
Reference:https://github.com/avast/ioc
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:CobaltStrike__Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Author:gssincla@google.com
TLP:TLP:WHITE
Repository:GCTI
Rule name:CobaltStrike_C2_Encoded_XOR_Config_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike C2 encoded profile configuration
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:CobaltStrike_MZ_Launcher
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike MZ header ReflectiveLoader launcher
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:CobaltStrike_ReflectiveLoader_RID3297
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike)
Reference:http://www.clearskysec.com/tulip
TLP:TLP:WHITE
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:CobaltStrike_Sleeve_Beacon_x64_v4_5_variant
Create hunting rule
Author:gssincla@google.com
Description:Cobalt Strike's sleeve/beacon.x64.dll Versions 4.5 (variant)
Reference:https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6
Create hunting rule
Author:gssincla@google.com
Description:Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6
Reference:https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:Cobaltstrike1
Create hunting rule
Author:Ahmet Payaslioglu | Binalyze DFIR LAB
Description:Cobalt Strike Detection
TLP:TLP:WHITE
Repository:AhmetPayaslioglu
Rule name:Cobaltstrike2
Create hunting rule
Author:Ahmet Payaslioglu | Binalyze DFIR LAB
Description:Cobalt Strike Detection
TLP:TLP:WHITE
Repository:AhmetPayaslioglu
Rule name:CobaltStrikeBeacon
Create hunting rule
Author:ditekshen, enzo & Elastic
Description:Cobalt Strike Beacon Payload
TLP:TLP:WHITE
Repository:CAPE
Rule name:crime_win32_csbeacon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Cobalt Strike loader
Reference:https://twitter.com/VK_Intel/status/1239632822358474753
TLP:TLP:WHITE
Repository:k-vitali
Rule name:CS_beacon
Create hunting rule
Author:Etienne Maynier tek@randhome.io
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
TLP:TLP:WHITE
Repository:YARAify
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
TLP:TLP:WHITE
Repository:YARAify
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
TLP:TLP:WHITE
Repository:YARAify
Rule name:HKTL_CobaltStrike_Beacon_4_2_Decrypt
Create hunting rule
Author:Elastic
Description:Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:HKTL_CobaltStrike_Beacon_Strings
Create hunting rule
Author:Elastic
Description:Identifies strings used in Cobalt Strike Beacon DLL
Reference:https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:HKTL_CobaltStrike_SleepMask_Jul22
Create hunting rule
Author:CodeX
Description:Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated
Reference:https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:HKTL_Win_CobaltStrike
Create hunting rule
Author:threatintel@volexity.com
Description:The CobaltStrike malware family.
Reference:https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
TLP:TLP:WHITE
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:Leviathan_CobaltStrike_Sample_1_RID3324
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
TLP:TLP:WHITE
Rule name:MALW_cobaltrike
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Rule to detect CobaltStrike beacon
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike
TLP:TLP:WHITE
Repository:advanced-threat-research
Rule name:malware_CobaltStrike_v3v4
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect CobaltStrike Beacon in memory
Reference:https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:MALWARE_Win_CobaltStrike
Create hunting rule
Author:ditekSHen
Description:CobaltStrike payload
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
TLP:TLP:WHITE
Repository:YARAify
Rule name:PowerShell_Susp_Parameter_Combo_RID336F
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
TLP:TLP:WHITE
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
TLP:TLP:WHITE
Repository:YARAify
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:troj_win_cobaltstrike_memoryinject
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Detects Cobalt Strike payload typically loaded into memory via PowerShell.
TLP:TLP:WHITE
Repository:karttoon
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:win_cobalt_sleep_encrypt
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects Sleep Encryption Logic Found in Cobalt Strike Deployments
TLP:TLP:WHITE
Repository:YARAify
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cobalt_strike.
TLP:TLP:WHITE
Repository:Malpedia
Rule name:Windows_Trojan_CobaltStrike_1787eef5
Create hunting rule
Author:Elastic Security
Description:CS shellcode variants
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_CobaltStrike_3dc22d14
Create hunting rule
Author:Elastic Security
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_CobaltStrike_663fc95d
Create hunting rule
Author:Elastic Security
Description:Identifies CobaltStrike via unidentified function code
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_CobaltStrike_b54b94ac
Create hunting rule
Author:Elastic Security
Description:Rule for beacon sleep obfuscation routine
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_CobaltStrike_b54b94ac
Create hunting rule
Description:Rule for beacon sleep obfuscation routine
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_CobaltStrike_ee756db7
Create hunting rule
Author:Elastic Security
Description:Attempts to detect Cobalt Strike based on strings found in BEACON
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_CobaltStrike_ee756db7
Create hunting rule
Description:Attempts to detect Cobalt Strike based on strings found in BEACON
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_CobaltStrike_f0b627fc
Create hunting rule
Description:Rule for beacon reflective loader
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_CobaltStrike_f0b627fc
Create hunting rule
Author:Elastic Security
Description:Rule for beacon reflective loader
TLP:TLP:WHITE
Repository:elastic

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.