MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 630cdc0a4d4681e9ab87229b23727641b11bfd1369272c23636deeb131291ca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 630cdc0a4d4681e9ab87229b23727641b11bfd1369272c23636deeb131291ca4
SHA3-384 hash: 3ffd55ea5d697c329d29cdecfb80e2d961925bf96c727d5986c58632ec552b08e24818e49cd58b2493c14598ae9797a4
SHA1 hash: 2a56482d9029ca915611486b70a2e9e832ccf5c4
MD5 hash: 807e647b48ba33cf756793fd79f7d34d
humanhash: ten-whiskey-angel-washington
File name:updx64.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:8'055'640 bytes
First seen:2022-09-28 18:26:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep 196608:ePLaAX0BAeL2Vmd6+DjnNgwQ+dtLJnM7kwRh7ytV6HZhb0:ux0TL2Vmd6mzNjBM7VRhUV6HH
Threatray 37 similar samples on MalwareBazaar
TLSH T154863394736009E5FDF7587AC4469A05CA2670271740CA8F8B50DAB22F0BBB1BDFAF51
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e4f4a494acb4b0a4 (6 x Stealc, 2 x MarsStealer, 2 x Formbook)
Reporter r3dbU7z
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
717
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314477/
Detection(s):
SecuriteInfo.com.W64.S-f7bcf467.Eldorado.13723.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39797/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware overlay packed python rozena
Link:
https://www.filescan.io/uploads/633491f790cb824e9d9fa255/reports/8ec0091e-eb3d-4bcd-89b8-b2a6a9b54f87/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a68eaac-18f9-479c-851a-6793f81a9a34
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079489
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL reload attack detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/630cdc0a4d4681e9ab87229b23727641b11bfd1369272c23636deeb131291ca4/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 01:18:39 UTC
File Type:
PE+ (Exe)
Extracted files:
456
AV detection:
16 of 40 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmgnycsni2a6tk4heknsg4twigyrx7itnetsyi3dnxxlcmjjdssa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
329d77b0ab5af0e568b9d56e3c3f7afc4266bf2cea0bd816ed4e67d4c9a09692
CobaltStrike
414d8e74cdb96fe1e8742018494be41cdebd5c11804a30a7876a5bcd7bf01764
CobaltStrike
476a05d5c8ef4444f96cbd02c3a315c56227b7510f75e82249a449bb79e977fc
CobaltStrike
4b56d8713523dea09695ec6beef98608c234e5f8a9be77be931a687c080fb0f1
CobaltStrike
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
CobaltStrike
88214cd533e440416cb5fec9e1a419ad952cd3524274110eaa8ce8e1dbcd826a
CobaltStrike
a07afb3f48c05bc311adc6a9473310e6b35e14f14920e543ee8ca032a0af637f
CobaltStrike
acb6ddc1461c0d9e81f482f4e5738f330d01f0365b6f95e44aa5792fbe8d7376
CobaltStrike
b000ebdd1ec391024c2d6a953a56485a5460ca449b419bb2380f210620d72dae
CobaltStrike
b8e807fd68dc28227145b1fed9a72e925c24ab76495dce4733e9656740732b1b
CobaltStrike
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/220928-w3sg8ahhen/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e5f7673e-b3dc-4bb4-a825-a54034663e95
Unpacked files
SH256 hash:
630cdc0a4d4681e9ab87229b23727641b11bfd1369272c23636deeb131291ca4
MD5 hash:
807e647b48ba33cf756793fd79f7d34d
SHA1 hash:
2a56482d9029ca915611486b70a2e9e832ccf5c4
Link:
https://www.unpac.me/results/09298cc2-1b94-4da6-9527-6cbb0f152d0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/630cdc0a4d4681e9ab87229b23727641b11bfd1369272c23636deeb131291ca4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 630cdc0a4d4681e9ab87229b23727641b11bfd1369272c23636deeb131291ca4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/314477/

Comments