MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9
SHA3-384 hash: 1d3f0c6d32a087f1a01d01ca8ab94243f0d4c87457eef976dc28333c02f7405f84edc8698b313b758a0ce4b39c70fecd
SHA1 hash: d535de08875cef1c49bfa2532281fa1254a8cb93
MD5 hash: a91bf61cc18705be2288a0f6f125068f
humanhash: quebec-gee-missouri-california
File name:DuDLLignce.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:704'512 bytes
First seen:2020-12-20 14:39:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:FJX/FCuR2pC5j9v9lef7wWrfTgDk64BrYJm+/c3wCPczKUqkf6T0in9CBlpKO0oq:FZZ1a
Threatray 646 similar samples on MalwareBazaar
TLSH 47E436653AFB605DF3E299AA4FD4F8BF9A1AF673270F30B91171034683129828D91735
Reporter srcr
Tags:CobaltStrike dll DUEDLLIGENCE FireEye X64


Avatar
srcr
Sample source: https://vx-underground.org/samples/Exotic/DarkHalo/DarkHalo.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
618
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DuDLLignce.dll
Verdict:
No threats detected
Analysis date:
2020-12-20 14:39:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0af8f4ca-4782-4f91-ace4-e035ec0c4bca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108624/
Detection(s):
Win.Trojan.DUEDILLIGENCE-9804815-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/567019
Signature
.NET source code contains process injector
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9/
Threat name:
ByteCode-MSIL.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2020-07-03 13:17:48 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dt2xcdsqbjbdxbfvd6r27xmsh7qkqjk4lal5gi4bovrd4lv37lmq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b
CobaltStrike
2af42a2047b16f2dea0038365058a8d8b7f71152117c371ce7f593e47aa785d1
CobaltStrike
3e6c11f27c1309c63abe0a1563c6141ce7b8d8110419c572be46dcb3578db443
CobaltStrike
49f80e9afca6ccd55838cd0e16639d51ed5db3d751f36ba7d79ea0678b50da6a
CobaltStrike
5b958499b0f7e27eda1e628f1122be0ea4ac505faa931e26f4ff39f6ce1c648e
CobaltStrike
a8241398b22ba3745b460a7a0c39cb9a86ca258b9283901d42e8dab283acb39b
CobaltStrike
b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429
CobaltStrike
bf9b98c2b8e313967028e6ba8760d9a23f6b93036b5f85631494e870a90af779
CobaltStrike
c3cd38ef21032f1410a496a7ca71239619a8d9aa289e70f05f42893def8129e0
CobaltStrike
f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f
CobaltStrike
+ 636 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201220-ngkkzy6xy2/
Behaviour
Modifies system certificate store
Blocklisted process makes network request
Unpacked files
SH256 hash:
1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9
MD5 hash:
a91bf61cc18705be2288a0f6f125068f
SHA1 hash:
d535de08875cef1c49bfa2532281fa1254a8cb93
Link:
https://www.unpac.me/results/d6cdb563-f4ce-4bf6-b4a8-8d59a2b2cdad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CobaltStrike
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cf5710e500a423b84b51fa3afdd923fe0a8255c5817d3238175623e2ebbfad9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/108624/

Comments