MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1593b2e890c7ac773d8e5b82e98ccaf38fa86b3a8b9b416b0bd7daa4df77421c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1593b2e890c7ac773d8e5b82e98ccaf38fa86b3a8b9b416b0bd7daa4df77421c
SHA3-384 hash: df0b20d5b774d7bcbd9c05b34d6dab03ff201a5dcf4d6ee0974b0b6f4b749e86474791f2bfc25914746019d81a17b7c5
SHA1 hash: c3db2593f73e0e0cddd3c679db914b9b6b4ad064
MD5 hash: 6095f8e8f0370345105b827a281245f5
humanhash: friend-early-four-glucose
File name:6095f8e8f0370345105b827a281245f5.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'004'319 bytes
First seen:2022-04-18 15:51:11 UTC
Last seen:2022-04-20 10:21:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a62a4e55e145a922e3a860d82c01e587 (13 x CobaltStrike)
ssdeep 24576:p1PghBzKWN1zjpjLJ1RxfawzZA2UDF/WYVO0dD:pVax1zBLnfNZA2UDgYE05
Threatray 1'582 similar samples on MalwareBazaar
TLSH T14D256B0BF6B842E5C0B6C17E8593966AF7B2B851473083C752919B1E5F377E4AA3E301
TrID 66.5% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter abuse_ch
Tags:CobaltStrike dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
687
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264379/
Detection(s):
Win.Malware.Cobaltstrike-9941357-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching cmd.exe command interpreter
Launching a process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand.exe explorer.exe greyware keylogger overlay packed rundll32.exe shell32.dll
Link:
https://www.filescan.io/uploads/625d88f5eab80a7a6c394b2c/reports/8a2bb932-3aba-498e-af0e-ae38e57c7564/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e2e008c-4991-4d92-8c0f-3f5f14292849
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978313
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610799 Sample: UmEASbD0GW.dll Startdate: 18/04/2022 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 5 other signatures 2->46 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        15 cmd.exe 9->15         started        17 cmd.exe 1 9->17         started        dnsIp5 36 benokij.com 139.60.161.165, 443, 49772, 49773 HOSTKEY-USAUS United States 11->36 50 System process connects to network (likely due to code injection or exploit) 11->50 52 Queues an APC in another process (thread injection) 11->52 19 rundll32.exe 15->19         started        23 conhost.exe 15->23         started        25 rundll32.exe 17->25         started        signatures6 process7 dnsIp8 34 benokij.com 19->34 48 System process connects to network (likely due to code injection or exploit) 19->48 27 cmd.exe 1 25->27         started        signatures9 process10 process11 29 rundll32.exe 27->29         started        32 conhost.exe 27->32         started        dnsIp12 38 benokij.com 29->38
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1593b2e890c7ac773d8e5b82e98ccaf38fa86b3a8b9b416b0bd7daa4df77421c/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-04-18 15:52:11 UTC
File Type:
PE+ (Dll)
Extracted files:
68
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwj3f2eqy6whopmolobotdgk6oh2q2z2ronuc2yl27nkjx3xiioa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
396cb1296a9cd34bd0da4631fad97884645f2098e93772d5caad45fde23921c2
CobaltStrike
40c516a67062e113e4d9211890b926bc04a76624ab12379485014d4f5e987538
CobaltStrike
571c4f83d6f36a6a4e46e0015609200f66bb7943430177c9fd91a447bd33289c
CobaltStrike
5e2a11b6d44e66396f0ee23ead9dc4ccb4eda0664bbc097088bfa8fcdb200335
CobaltStrike
924be86257276507d117219a847223fc7eade64a5788f74a0d174a59ae20e0ab
CobaltStrike
929fb8f4c028bab8fcb5b1f89163abbfa088fadc9555efb5f6508e09d90d6654
CobaltStrike
+ 1'572 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/220418-ta3rdahfc6/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Cobaltstrike
Malware Config
C2 Extraction:
http://benokij.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
1593b2e890c7ac773d8e5b82e98ccaf38fa86b3a8b9b416b0bd7daa4df77421c
MD5 hash:
6095f8e8f0370345105b827a281245f5
SHA1 hash:
c3db2593f73e0e0cddd3c679db914b9b6b4ad064
Link:
https://www.unpac.me/results/59019b45-f05e-4f53-a4fe-183f90fdd2f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1593b2e890c7ac773d8e5b82e98ccaf38fa86b3a8b9b416b0bd7daa4df77421c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 1593b2e890c7ac773d8e5b82e98ccaf38fa86b3a8b9b416b0bd7daa4df77421c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2090916/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/264379/

Comments