MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00
SHA3-384 hash: 1ca4bb0a166027992856d08aec24502ae35f370232569aa44c2bbbfc5c03285c275936bf29b47a7c40475d80a8964dcd
SHA1 hash: 960b1b4292c2a73fbe3c04a1ff938ffd76981620
MD5 hash: 1ddec479b1a7579fc52c734510473aa3
humanhash: apart-fix-november-mexico
File name:162_64.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:140'288 bytes
First seen:2021-07-30 14:51:31 UTC
Last seen:2021-07-30 15:48:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bc3bc1845028ee5aec5946317d66d32 (1 x CobaltStrike)
ssdeep 3072:wUJ9sXDS+LpeJ+zbCWS6FFswY0uYGpCM:ZsXDNBzbC76FFsjE
Threatray 1'046 similar samples on MalwareBazaar
TLSH T110D3B537FAB6218DF952D7306E57A512BDF578401E288E0C56128586CB6CDCCFE7BA02
Reporter malware_traffic
Tags:Cobalt Strike CobaltStrike dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
976
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
162_64.dll
Verdict:
No threats detected
Analysis date:
2021-07-30 14:58:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ae7531a-d2b6-4405-bd00-b60d311b913d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175307/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.64325.2615.9300.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d33d8023-30de-4de7-acee-e124a91b9a14
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824543
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: CobaltStrike Process Patterns
Sigma detected: Regsvr32 Command Line Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456955 Sample: 162_64.dll Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 6 other signatures 2->65 9 loaddll64.exe 14 2->9         started        process3 process4 11 regsvr32.exe 13 9->11         started        14 rundll32.exe 9->14         started        17 iexplore.exe 1 76 9->17         started        19 7 other processes 9->19 dnsIp5 55 162.244.80.46, 49718, 49719, 49720 SERVERROOMUS United States 11->55 21 cmd.exe 1 11->21         started        67 System process connects to network (likely due to code injection or exploit) 14->67 24 cmd.exe 14->24         started        57 192.168.2.1 unknown unknown 17->57 26 iexplore.exe 2 147 17->26         started        29 rundll32.exe 1 19->29         started        31 cmd.exe 19->31         started        33 cmd.exe 19->33         started        35 3 other processes 19->35 signatures6 process7 dnsIp8 47 C:\Users\user\AppData\Local\...\DEMC569.tmp, ASCII 21->47 dropped 37 conhost.exe 21->37         started        49 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49797, 49798 YAHOO-DEBDE United Kingdom 26->49 51 dart.l.doubleclick.net 142.250.186.70, 443, 49761, 49762 GOOGLEUS United States 26->51 53 14 other IPs or domains 26->53 39 cmd.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        file9 process10 process11 45 conhost.exe 37->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00/
Threat name:
Win64.PUA.CobaltStrikeArtifact
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 04:55:11 UTC
AV detection:
14 of 27 (51.85%)
Threat level:
  1/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882
CobaltStrike
3175976cea0ac6b13312f1922423fca3f3d0bf99848f6b575c1063ed0f0cb8f4
CobaltStrike
452363ce4a4695a985d5a6200de2b43692f7e0d4df11f0b30b42fc78a0cc9440
CobaltStrike
7e8a4bbdc12c7caefb486b28be1eebf0e35a8ad5f745aae17abbe7f40aff661f
CobaltStrike
84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252
CobaltStrike
8fabea95cbfe1da521dfcd7880ec3301a3a32175741680d8c1a8acacc0199eb7
CobaltStrike
a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11
CobaltStrike
cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c
CobaltStrike
dbafbe9edfdac67a781756a6970a7341fd5401b0914fff7e3e8136cff0426fc5
CobaltStrike
f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d
CobaltStrike
+ 1'036 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor suricata trojan
Link:
https://tria.ge/reports/210730-5hxysbfpbj/
Behaviour
Suspicious use of WriteProcessMemory
Cobaltstrike
suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)
Malware Config
C2 Extraction:
http://162.244.80.46:80/components/mt.ico
http://162.244.80.46:80/copyright.js
Unpacked files
SH256 hash:
087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00
MD5 hash:
1ddec479b1a7579fc52c734510473aa3
SHA1 hash:
960b1b4292c2a73fbe3c04a1ff938ffd76981620
Link:
https://www.unpac.me/results/af798395-a9b8-4467-a875-dce4e896aca4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/087153ed5bb9bb9807e37a8fd745a16a634497a842896f232ab4cfb54197ba00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175307/

Comments