MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29170db2866b123a1dd16867b991bd098acdebe9a452d33c70825133b6b7f035. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29170db2866b123a1dd16867b991bd098acdebe9a452d33c70825133b6b7f035
SHA3-384 hash: 1a552bf5b901757dea7a33107b4285af32f7605107997056f706fa0f0b2518379fb814cffe1d3708f8bc77b97d44201d
SHA1 hash: 57742f399abd7d290e9529df57d0f43d617e99fb
MD5 hash: 0c036691c0b40d8689c6e1792cabfc5a
humanhash: fillet-hotel-helium-glucose
File name:16790921990.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'617'920 bytes
First seen:2022-05-30 13:34:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb275dabab1a4a86902b3396a5b6fe24 (1 x CobaltStrike)
ssdeep 24576:kjD59o2OeAHGwPtDlOyP3x5zBsGvI01RWOY/om:AFhAmwPZAyP37zBPI1Nj
Threatray 77 similar samples on MalwareBazaar
TLSH T1F7759DD4B6A0CA52CFA7B07485A113B47814BCBA86176FB78514FA313C303F2BAD6E55
TrID 49.9% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 74e4c4e4c4d4d4c4 (1 x CobaltStrike, 1 x ValleyRAT)
Reporter obfusor
Tags:CobaltStrike dropper exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'074
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16790921990.exe
Verdict:
No threats detected
Analysis date:
2022-05-30 13:37:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4825eff-ef96-46b8-b43f-8ecc6b232a43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275501/
Detection(s):
SecuriteInfo.com.UDS.Backdoor.Win32.PMax.31095.21743.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Creating a process with a hidden window
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware shell32.dll
Link:
https://www.filescan.io/uploads/6294c808206e0816184591c5/reports/0a7422bd-23f2-48ac-940a-57b539c66cb6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0211336a-2491-49cc-8753-57df70df33db
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1003722
Signature
Deletes itself after installation
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 636218 Sample: 16790921990.exe Startdate: 30/05/2022 Architecture: WINDOWS Score: 60 45 Multi AV Scanner detection for submitted file 2->45 8 16790921990.exe 3 3 2->8         started        process3 file4 35 C:\Windows\Temp\OfficeIm.exe, PE32+ 8->35 dropped 49 Deletes itself after installation 8->49 12 OfficeIm.exe 1 8->12         started        17 AcroRd32.exe 15 37 8->17         started        signatures5 process6 dnsIp7 43 q50lw.oss-cn-beijing.aliyuncs.com 59.110.190.41, 443, 49721 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 12->43 37 C:\Windows\Temp\TencentSvc.exe, PE32+ 12->37 dropped 51 Multi AV Scanner detection for dropped file 12->51 19 TencentSvc.exe 12->19         started        23 RdrCEF.exe 71 17->23         started        25 AcroRd32.exe 8 6 17->25         started        file8 signatures9 process10 dnsIp11 39 123.57.235.23, 443, 49770, 49784 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 19->39 47 Multi AV Scanner detection for dropped file 19->47 41 192.168.2.1 unknown unknown 23->41 27 RdrCEF.exe 23->27         started        29 RdrCEF.exe 23->29         started        31 RdrCEF.exe 23->31         started        33 2 other processes 23->33 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29170db2866b123a1dd16867b991bd098acdebe9a452d33c70825133b6b7f035/
Threat name:
Win64.Backdoor.PMax
Create hunting rule
Status:
Malicious
First seen:
2022-05-30 13:35:09 UTC
File Type:
PE+ (Exe)
Extracted files:
23
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=felq3mugnmjduhornbt3ten5bgfm327jurjngpdqqjithnvx6a2q._file
Verdict:
suspicious
Label(s):
zloader
Create hunting rule
Similar samples:
1298c6133f76de5491828ab2eac13325c21249a1329c971f6b60e7ed85827280
CobaltStrike
45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676
CobaltStrike
4a3dc99f99af4f2d8bd707a4163886df47cbdf6934856c416785010334412043
CobaltStrike
aa2cb7c438568cb9baf184532b6bda4677cd3bb9f22f8d3e65e22588eeace26f
CobaltStrike
cd18e2bebc72f731a5dbe0588ab3633b0421f45fa205cbb674f231d56f4a4e5a
CobaltStrike
e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d
CobaltStrike
e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583
CobaltStrike
f29dbde41d19fa55ca3cd077df6833441aca6df5f1cfccbca9ed9554214263da
CobaltStrike
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220530-qvnleacdfl/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
29170db2866b123a1dd16867b991bd098acdebe9a452d33c70825133b6b7f035
MD5 hash:
0c036691c0b40d8689c6e1792cabfc5a
SHA1 hash:
57742f399abd7d290e9529df57d0f43d617e99fb
Link:
https://www.unpac.me/results/1c52ee48-f87a-4fd3-ab57-b62196352f48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29170db2866b123a1dd16867b991bd098acdebe9a452d33c70825133b6b7f035

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275501/

Comments