MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e74bf09f32b2020d72de239ced4291970375366b26e0156bfdfc4eafa358349. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e74bf09f32b2020d72de239ced4291970375366b26e0156bfdfc4eafa358349
SHA3-384 hash: ba17cf7f3c9105b5c0cd07929859ec2e887584a6b1f601267de33764fd128878a2844acd926b98302b4133748d0ab6af
SHA1 hash: 7fade940717a8cfa022e4dfa58a52855e65829cc
MD5 hash: 2e91b50f5856ed0e8db2e68cbf011587
humanhash: berlin-asparagus-wolfram-football
File name:0e74bf09f32b2020d72de239ced4291970375366b26e0156bfdfc4eafa358349
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:16'248 bytes
First seen:2021-08-02 10:21:54 UTC
Last seen:2021-08-09 07:01:05 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1dcdb5550f0e3d7e686b361f67a1f2d8 (1 x RedLineStealer, 1 x CobaltStrike, 1 x BitRAT)
ssdeep 192:E3j+vEMbdJkwKkFQVjFFRl6MCAdGlYqufZnFptC0g2Sumh8Y:OafFwjZQTGfZHtWumaY
Threatray 629 similar samples on MalwareBazaar
TLSH T1BF727CA70B1C7465FB4A1DB1C6C54375ACB1B7A09E82805212FDC89A2DCA3F06B7471B
Reporter JAMESWT_WT
Tags:ADRIATIK PORT SERVIS d.o.o. CobaltStrike dll signed

Code Signing Certificate

Organisation:ADRIATIK PORT SERVIS, d.o.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-05-28T00:00:00Z
Valid to:2022-05-28T23:59:59Z
Serial number: 670c3494206b9f0c18714fdcffaaa42f
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 5e278ee395cbc112b84a22c8c207ed60f5f507407b6452a89b0ec9acfa2dd166
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
481
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175768/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb93a7bc-128e-4d31-86f2-11967f7631e9
Result
Threat name:
Metasploit Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825446
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Metasploit Payload
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457858 Sample: lAFVkA8CLk Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 78 Multi AV Scanner detection for domain / URL 2->78 80 Antivirus detection for dropped file 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 6 other signatures 2->84 11 loaddll32.exe 1 2->11         started        process3 process4 13 rundll32.exe 2 11->13         started        17 cmd.exe 1 11->17         started        19 rundll32.exe 1 11->19         started        dnsIp5 76 mw.elit-platinum.com 191.101.115.15, 49713, 49714, 49717 ASDETUKhttpwwwheficedcomGB Chile 13->76 96 System process connects to network (likely due to code injection or exploit) 13->96 98 Drops PE files to the user root directory 13->98 100 Drops PE files with a suspicious file extension 13->100 21 hlthsys64.pif 4 13->21         started        25 rundll32.exe 1 17->25         started        28 hlthsys64.pif 19->28         started        signatures6 process7 dnsIp8 58 C:\Users\user\AppData\Local\...\setup.exe, PE32 21->58 dropped 60 C:\ProgramData\...\vcredist_x86.exe, PE32 21->60 dropped 62 C:\ProgramData\...\VC_redist.x64.exe, PE32 21->62 dropped 68 87 other malicious files 21->68 dropped 86 Creates an undocumented autostart registry key 21->86 88 Drops PE files with a suspicious file extension 21->88 90 Drops executable to a common third party application directory 21->90 92 Infects executable files (exe, dll, sys, html) 21->92 30 hlthsys64.pif 1 21->30         started        74 mw.elit-platinum.com 25->74 64 C:\Users\user\hlthsys64.pif, PE32 25->64 dropped 33 hlthsys64.pif 3 25->33         started        66 C:\Windows\svchost.com, PE32 28->66 dropped 36 hlthsys64.pif 28->36         started        file9 signatures10 process11 file12 102 Injects a PE file into a foreign processes 30->102 38 hlthsys64.pif 30->38         started        50 C:\Users\user\AppData\Local\...\hlthsys64.pif, PE32 33->50 dropped 52 C:\...\protocolhandler.exe, PE32 33->52 dropped 54 C:\Program Files (x86)\...\misc.exe, PE32 33->54 dropped 56 19 other malicious files 33->56 dropped 104 Infects executable files (exe, dll, sys, html) 33->104 41 hlthsys64.pif 33->41         started        44 hlthsys64.pif 36->44         started        signatures13 process14 dnsIp15 70 45.140.17.75, 10443, 49726, 49728 BITWEB-ASRU Russian Federation 38->70 72 192.168.2.1 unknown unknown 38->72 94 Injects a PE file into a foreign processes 41->94 46 hlthsys64.pif 41->46         started        signatures16 process17 process18 48 WerFault.exe 46->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e74bf09f32b2020d72de239ced4291970375366b26e0156bfdfc4eafa358349/
Threat name:
Win32.Trojan.Mukeralmoh
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 06:43:00 UTC
File Type:
PE (Dll)
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bz2l6cptfmqcbvzn4i445vbjdfydou3gwjxacvv737cov6rvqneq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
17255c61dca3b8f58f9d1e34f562714c0b0b5b1b0925401a501b1ee9c9376d66
CobaltStrike
216c8471db4ab3a785f395c8c059d767798a6ffd5fbbf6e72f745ea506bd1cd9
CobaltStrike
2231fe26243e074c03019cb2e2a4f25c0ef60bc9e82022f3e88fc77c4bf18102
CobaltStrike
5701a3c3a5ba47dfdf1fa7b70335419c2889b6649d30964145f68815920f7616
CobaltStrike
5aedcd88018ef8f4a70a04ca259e7f2a087fde8ef98c7bbe21b1d511dd00a731
CobaltStrike
a3499e847373725d2924a5914b9ac861fda3c53b31ca5cfcaa02b9363f205774
CobaltStrike
de095ea31816e724d6ec46f703b096e893efec5bcba9d018c52820e22d4fbd45
CobaltStrike
+ 619 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:metasploit botnet:0 backdoor persistence spyware stealer trojan
Link:
https://tria.ge/reports/210802-3bthaw9b6j/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Cobaltstrike
MetaSploit
Modifies system executable filetype association
Malware Config
C2 Extraction:
http://45.140.17.75:10443/UIHv
http://45.140.17.75:10443/visit.js
Unpacked files
SH256 hash:
0e74bf09f32b2020d72de239ced4291970375366b26e0156bfdfc4eafa358349
MD5 hash:
2e91b50f5856ed0e8db2e68cbf011587
SHA1 hash:
7fade940717a8cfa022e4dfa58a52855e65829cc
Link:
https://www.unpac.me/results/3884dd1f-b70e-4fc8-9d96-8f7eafa1b4c7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0e74bf09f32b2020d72de239ced4291970375366b26e0156bfdfc4eafa358349

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175768/

Comments