MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14d35d94f1423f8611dd77fb5da29a006a7a59cc9ccd549c46cba36c017b1d2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14d35d94f1423f8611dd77fb5da29a006a7a59cc9ccd549c46cba36c017b1d2f
SHA3-384 hash: f63e61fbcd085d3d637812737fda602a89133e3e2b500e20100b070b19f0be6c6977337352d5a562e1b3b8f28ecc8e78
SHA1 hash: ed7acb67665323184a5df7964debbd40b75c1382
MD5 hash: 54890eb3412d6794d797fe49c73716c0
humanhash: alpha-charlie-burger-artist
File name:54890eb3412d6794d797fe49c73716c0.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:418'304 bytes
First seen:2021-08-16 06:48:13 UTC
Last seen:2021-08-16 07:50:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0d24ffe13b3120fbab4bd4048451b383 (1 x CobaltStrike)
ssdeep 6144:32sBBZySgkNl44nAvRoM9epsxvh9JKkIU6CXbNsZOzbjeUEM70I:DbZySgkzEoGeq9JRIGLNs3MP
Threatray 1'142 similar samples on MalwareBazaar
TLSH T18C944B46FAA485B0E02FD139C9A28B46EBB23458977187CB5395871E3F732E19D3D321
Reporter abuse_ch
Tags:CobaltStrike dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
533
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
54890eb3412d6794d797fe49c73716c0.dll
Verdict:
No threats detected
Analysis date:
2021-08-16 06:51:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24c972cf-608a-4f00-bd02-334d4dad3811

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179426/
Detection(s):
SecuriteInfo.com.Win64.Riskware.Meterpreter.N.29872.30047.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fa6ce31d-bd74-4164-badd-1c9053d6ad1c
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/833325
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: CobaltStrike Load by Rundll32
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465755 Sample: 3qcZ6r3icy.dll Startdate: 16/08/2021 Architecture: WINDOWS Score: 92 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Yara detected CobaltStrike 2->30 32 3 other signatures 2->32 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 1 8 7->9         started        13 rundll32.exe 6 7->13         started        15 cmd.exe 1 7->15         started        dnsIp5 22 crt.sectigo.com 91.199.212.52, 49723, 80 SECTIGOGB United Kingdom 9->22 24 nupahe.com 45.147.230.80, 443, 49721, 49722 COMBAHTONcombahtonGmbHDE Germany 9->24 34 System process connects to network (likely due to code injection or exploit) 9->34 17 rundll32.exe 6 15->17         started        signatures6 process7 dnsIp8 20 nupahe.com 17->20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14d35d94f1423f8611dd77fb5da29a006a7a59cc9ccd549c46cba36c017b1d2f/
Threat name:
Win64.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 06:49:05 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ctjv3fhrii7ymeo5o75v3iu2abvhuwomttgvjhcgzorwyal3duxq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0ecf5a2c06c78f79bc20180e1be1c9e41487b5789b1af712ebb7ed6091486536
CobaltStrike
2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c
CobaltStrike
6880a560c6cc3dd49bdc94a90dcc8dc69e55a6d842e76bb0dff0038bad6a762f
CobaltStrike
8438bfbb9c978de4f342a3ed19551f735343a9c1ed0c8610a332a83918cb5985
CobaltStrike
971c693bc67cf7b4b9655282b815bc1ba10ee937f1736ba1ef5fdb7aea392f6c
CobaltStrike
cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58
CobaltStrike
cf1043d00d87887f92a59e86296d1b7acaf37ccb33e9d2ce1f3c40d669de8ed5
CobaltStrike
e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407
CobaltStrike
+ 1'132 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/210816-8g129zhnj2/
Behaviour
Modifies system certificate store
Blocklisted process makes network request
Cobaltstrike
Malware Config
C2 Extraction:
http://nupahe.com:443/files/r-arrow.png
http://nupahe.com:443/sq.html
Unpacked files
SH256 hash:
14d35d94f1423f8611dd77fb5da29a006a7a59cc9ccd549c46cba36c017b1d2f
MD5 hash:
54890eb3412d6794d797fe49c73716c0
SHA1 hash:
ed7acb67665323184a5df7964debbd40b75c1382
Link:
https://www.unpac.me/results/f693449d-cdb1-4ba5-af94-59037df0dcdb/
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/14d35d94f142/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14d35d94f1423f8611dd77fb5da29a006a7a59cc9ccd549c46cba36c017b1d2f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179426/

Comments