MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 118ed2b8b1f173f80cf2efd988170d78b876e0af02a10868b4d61aa01bedf1d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	118ed2b8b1f173f80cf2efd988170d78b876e0af02a10868b4d61aa01bedf1d3
SHA3-384 hash:	2fd415296c5252a127b92470bce4699f0503a040c54c1dc05f0894a9196a97cac27451bb0334a53799aa503e1b68af08
SHA1 hash:	d6031e10cddc8dd18a18cf9af25b93bc94c86d21
MD5 hash:	3db00828ac53a947f359dabaf0e7a81b
humanhash:	emma-carpet-fanta-aspen
File name:	118ed2b8b1f173f80cf2efd988170d78b876e0af02a10868b4d61aa01bedf1d3
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	10'240 bytes
First seen:	2020-09-03 09:04:37 UTC
Last seen:	2020-09-03 09:48:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	96:YvlMbVS33kykMt6jpwaigWwNnUBFBbuiBOTXJchly0MxCX4kN1YYIzNt:Y65S3Uz66aaiF+UD9uigchrYcNFK
Threatray	28 similar samples on MalwareBazaar
TLSH	DE22DA3849FD2AB7C469CBF7CAF38913F164E4363A110AAAA48753255783D1324833BD
Reporter	JAMESWT_WT
Tags:	47.93.254.49 Cobalt Strike

Intelligence

File Origin

# of uploads :

2

# of downloads :

89

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54651/

Detection(s):

SecuriteInfo.com.Trojan.Starter.7246.20368.6190.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Connection attempt

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/458130

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/118ed2b8b1f173f80cf2efd988170d78b876e0af02a10868b4d61aa01bedf1d3/

Threat name:

ByteCode-MSIL.Trojan.Tiny

Status:

Malicious

First seen:

2020-09-01 22:55:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

1

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

1a1d7e78c5ac2f804e01206111e915963cf51f680776ed02a15cb8353e5f7759

26760ca79ec85b46777cda948a746134b8513692075fbc17db7a553b24fd3482

2ce0a491dd1a778d1a0beee30cb52bfd3df11262d9783533c931c60484a4adb0

67e4e4eb893a2386e782d4d4c7a44eaf70388cad0bb32f30fa3a06e466f583fd

a1d9d1784959597859b70af8479ecb3a5eb577be1bcf10dc2b57fd7beb3ba874

b688dd3b5c68db421a7a5d1cdd19ad7a847771c7f7ad33fe9a0f74e475428c83

bd50fceeb89d220f6710030d3aacbc2427c5796d9b7f3dee8a362f4e7d4113ef

c380f48e3d649b6a44b05134108a8c79536f289240e9ed9135e35dadffb6c350

e99cc027c77bed5c1414225e39093bde66c654a9adfcca9cb3ddafa266410aea

f4d129a8289b89a4a8d385d89702bae3c7b5fcf9d32c3b1eee61bc0245bfb99a

+ 18 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/200903-zgcephz7sn/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Drops file in Windows directory

Suspicious use of NtCreateProcessExOtherParentProcess

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/118ed2b8b1f173f80cf2efd988170d78b876e0af02a10868b4d61aa01bedf1d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

X

https://twitter.com/malwrhunterteam/status/1301444687870521344?s=20

Cape

Cape

https://www.capesandbox.com/analysis/54651/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample