MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9
SHA3-384 hash: 35916f4852a52ebf9632f975457d17a32234ec7b7c6224964e6f4591b5c4d1643f002962a8f38bc38e624c450d3ca58d
SHA1 hash: 4925d41d6db6e3f47250be8cdc21bb1548c7261a
MD5 hash: 2abdfeb9090ff090ae9db0a5559e09c7
humanhash: lima-sad-sweet-west
File name:2abdfeb9090ff090ae9db0a5559e09c7.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:526'816 bytes
First seen:2021-07-19 05:50:20 UTC
Last seen:2021-07-20 06:13:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be8b4e049a09cb45ddd7816620212c (1 x CobaltStrike)
ssdeep 12288:9iSHxfoBGUL3suI5knw6Lc7h0zHaPveW7EPH8w:wSH2GeXfnrLsmzHah+8w
Threatray 917 similar samples on MalwareBazaar
TLSH T1FFB44A0AFB6444A6D063D139C9638A86E7B17C894B60838F4361E77F2F337A19D39721
Reporter abuse_ch
Tags:CobaltStrike dll exe Tellingent Limited

Intelligence

File Origin
# of uploads :
4
# of downloads :
535
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2abdfeb9090ff090ae9db0a5559e09c7.dll
Verdict:
No threats detected
Analysis date:
2021-07-19 05:52:50 UTC
Tags:
installer
Link:
https://app.any.run/tasks/16cddc45-ca62-4015-b6aa-c6ee905f7026

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172465/
Detection(s):
SecuriteInfo.com.Win32.RiskWare.Meterpreter.Agent.AF.21405.203.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bdb8b3ad-7b56-40d2-9338-6fbf8a28e169
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/818048
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: CobaltStrike Load by Rundll32
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450459 Sample: ZWQelKES9A.dll Startdate: 19/07/2021 Architecture: WINDOWS Score: 92 26 Multi AV Scanner detection for domain / URL 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 3 other signatures 2->32 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 6 7->9         started        13 rundll32.exe 6 7->13         started        15 cmd.exe 1 7->15         started        dnsIp5 24 softzbh.com 185.64.106.64, 443, 49709, 49710 IST-ASLT Lithuania 9->24 34 System process connects to network (likely due to code injection or exploit) 9->34 17 rundll32.exe 6 15->17         started        signatures6 process7 dnsIp8 20 softzbh.com 17->20 22 192.168.2.1 unknown unknown 17->22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9/
Threat name:
Win64.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 05:51:03 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882
CobaltStrike
2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c
CobaltStrike
673d8268fd21825ca5f21d8b395cdcede7009b60e540cb36c46f5794626faefb
CobaltStrike
9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545
CobaltStrike
a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11
CobaltStrike
cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c
CobaltStrike
cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58
CobaltStrike
dbafbe9edfdac67a781756a6970a7341fd5401b0914fff7e3e8136cff0426fc5
CobaltStrike
f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d
CobaltStrike
+ 907 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/210719-9659dy5kg6/
Behaviour
Modifies system certificate store
Blocklisted process makes network request
Cobaltstrike
Malware Config
C2 Extraction:
http://softzbh.com:443/jquery-3.3.2.slim.min.js
http://softzbh.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9
MD5 hash:
2abdfeb9090ff090ae9db0a5559e09c7
SHA1 hash:
4925d41d6db6e3f47250be8cdc21bb1548c7261a
Link:
https://www.unpac.me/results/a5b9d1b0-af89-4ffa-852f-b9e4e407b855/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172465/

Comments