MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25177f86963cd89171a6f06bcd0559806f7c1fa1cff3a52eee89ad38c024b819. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25177f86963cd89171a6f06bcd0559806f7c1fa1cff3a52eee89ad38c024b819
SHA3-384 hash: 00698e7c0c8f5b58aab1d3f6d16f9397a0b6ab67cdb5a79e44d0ca3bdd6b7bd6b6e3a0f53fa53279098ee794487803ac
SHA1 hash: 67bc7f825d6bf1a131e88b988f6c1a29c81a043a
MD5 hash: f372afce288f142c6c5c06e8c7b2e19c
humanhash: cola-high-bravo-quiet
File name:v.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:229'376 bytes
First seen:2022-12-26 13:18:02 UTC
Last seen:2022-12-26 14:28:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4bfb1481b8c8674ea2f0bf493819ad8 (2 x CobaltStrike)
ssdeep 3072:PFzMc5SPxCP7SHp8eEp1NjadPOo8WPWX1VJSsdWWzyWFLcIRQ7V+TzjmP2:mcSPcgp/2zaQf4C1P4wFL4P
Threatray 1'443 similar samples on MalwareBazaar
TLSH T1F5249D11B2A008F1DDB3A13A8553272AFAB63D0443249BCF13A04767AF6B7D1A93F755
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter dor0n
Tags:Cobalt Strike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
cobaltstrike
Create hunting rule
ID:
1
File name:
v.dll
Verdict:
Malicious activity
Analysis date:
2022-12-26 13:19:43 UTC
Tags:
cobaltstrike
Link:
https://app.any.run/tasks/eabcd254-3693-42a6-8339-d05782135924

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Lazy.278355.5592.19205.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63a99f0db9b1c173751fab7d/reports/96510335-0750-4e90-8992-f0d04c40892e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6cbcb039-574d-499c-ad5b-201bdc6787e5
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1141125
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 773855 Sample: v.dll.exe Startdate: 26/12/2022 Architecture: WINDOWS Score: 84 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 2 other signatures 2->42 8 loaddll64.exe 7 2->8         started        process3 dnsIp4 30 hakakebero.com 8->30 11 regsvr32.exe 6 8->11         started        15 rundll32.exe 6 8->15         started        17 cmd.exe 1 8->17         started        19 2 other processes 8->19 process5 dnsIp6 44 System process connects to network (likely due to code injection or exploit) 11->44 21 WerFault.exe 17 9 11->21         started        34 hakakebero.com 23.108.57.240, 443, 49698, 49699 LEASEWEB-USA-MIA-11US United States 15->34 23 WerFault.exe 21 9 15->23         started        25 rundll32.exe 6 17->25         started        signatures7 process8 dnsIp9 32 hakakebero.com 25->32 28 WerFault.exe 9 25->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25177f86963cd89171a6f06bcd0559806f7c1fa1cff3a52eee89ad38c024b819/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2022-12-23 01:52:53 UTC
File Type:
PE+ (Dll)
AV detection:
13 of 40 (32.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eulx7buwhtmjc4ng6bv42bkzqbxxyh5bz7z2klxorgwtrqbexamq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
08ec3f13e8637a08dd763af6ccb46ff8516bc46efaacb1e5f052ada634a90c0e
CobaltStrike
35bcc6e1410f3b7ef95301d996f5713e6811fc09b98edeb51d0222cbe099ce14
CobaltStrike
5efe564a2c779adebab8e664d524a0cfd026c8ab3a57527bd1d821245ffc2a8c
CobaltStrike
74ace0111970edf84a676c96b0c8180b2f2f6bc0a3f8e7bd1db4c9505e7e1d17
CobaltStrike
936861ea91e37611908b21310d461eb7435f2912e9a7576cee22ce22342d659b
CobaltStrike
93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e
CobaltStrike
99be525b748064edaa30caa911b1122187139c463ad29068c3ee5cf69eed774e
CobaltStrike
a0410b34f9a1161434b2df05470e2bc5d917ad44e419fe9d6a5008e3e3898b47
CobaltStrike
a7a0025d77b576bcdaf8b05df362e53a748b64b51dd5ec5d20cf289a38e38d56
CobaltStrike
+ 1'433 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/221226-qjybgagb7t/
Behaviour
Cobaltstrike
Malware Config
C2 Extraction:
http://hakakebero.com:443/html.html
Unpacked files
SH256 hash:
25177f86963cd89171a6f06bcd0559806f7c1fa1cff3a52eee89ad38c024b819
MD5 hash:
f372afce288f142c6c5c06e8c7b2e19c
SHA1 hash:
67bc7f825d6bf1a131e88b988f6c1a29c81a043a
Link:
https://www.unpac.me/results/baf3f5ec-c864-4e17-8877-76a228a2d587/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25177f86963c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25177f86963cd89171a6f06bcd0559806f7c1fa1cff3a52eee89ad38c024b819

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments