MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8
SHA3-384 hash: 93d1113d5569216fc826db8d54e5c0d0521902ce35e999e7370751305467926d02a32f57bfb49b1ff54d7817a1bed76a
SHA1 hash: 426aff05acfcfd800a4c6f0b77fe3e92d491c3ec
MD5 hash: d38821792f768551b015a982c0ddd1d5
humanhash: pasta-mountain-zebra-glucose
File name:gdfvr.hta
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:155'197 bytes
First seen:2024-07-16 08:09:21 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:tZ6A3yXNA0AGAhUybo5ynoitI0AOgDsXxJRQiXAZO:tXFGU5
TLSH T1E2E37C579203E53D592358FFEA3CEED110D0DE9ADBC89A4344FE5419ABE0F9CB608486
Reporter NDA0E
Tags:CobaltStrike hta


Avatar
NDA0E
http://107.173.143.46/xampp/meh/gdfvr.hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-360.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66962adccadc6250d05568a0win7simulatehigh_evasion
Tags:
Banker Stealth Dexter
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66962ae1f921a99b93551f2d/reports/fa4c4f08-6608-4f27-89bd-d8a06a50b81f/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.9BB2BE6D
Link:
https://www.hybrid-analysis.com/sample/36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike
Create hunting rule
Detection:
malicious
Classification:
phis.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1474090
Signature
Detected Cobalt Strike Beacon
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Yara detected obfuscated html page
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1474090 Sample: gdfvr.hta Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Powershell decode and execute 2->58 60 Yara detected obfuscated html page 2->60 62 2 other signatures 2->62 9 mshta.exe 1 2->9         started        process3 signatures4 64 Suspicious command line found 9->64 66 PowerShell case anomaly found 9->66 12 cmd.exe 1 9->12         started        process5 signatures6 68 Detected Cobalt Strike Beacon 12->68 70 Suspicious powershell command line found 12->70 72 PowerShell case anomaly found 12->72 15 powershell.exe 45 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 50 107.173.143.46, 49704, 80 AS-COLOCROSSINGUS United States 15->50 32 C:\Users\user\AppData\Roaming\igccu.exe, PE32 15->32 dropped 34 C:\Users\user\AppData\Local\...\csrss[1].exe, PE32 15->34 dropped 36 C:\Users\user\AppData\...\ovahg0k1.cmdline, Unicode 15->36 dropped 52 Loading BitLocker PowerShell Module 15->52 54 Powershell drops PE file 15->54 22 igccu.exe 2 15->22         started        25 csc.exe 3 15->25         started        file9 signatures10 process11 file12 38 C:\Users\user\AppData\Local\...\igccu.tmp, PE32 22->38 dropped 27 igccu.tmp 27 21 22->27         started        40 C:\Users\user\AppData\Local\...\ovahg0k1.dll, PE32 25->40 dropped 30 cvtres.exe 1 25->30         started        process13 file14 42 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 27->42 dropped 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->44 dropped 46 C:\...\unins000.exe (copy), PE32 27->46 dropped 48 3 other files (none is malicious) 27->48 dropped
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8/
Threat name:
Script-JS.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-07-16 08:05:19 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3whbcxq4i5klzwpuug3wqzhzlm4lpzfoqfllm4mpke46llgc64a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240716-j2pzgsseqp/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CobaltStrike

Excel file xls 1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857

CobaltStrike

HTML Application (hta) hta 36ec708af0e23aa5e6cfa50dbb4327cad9c5bf25740ab5b38c7a89cf2d6617b8

(this sample)

  
Dropped by
SHA256 1ccf2435674e5a774cbb63f1177f3ae6c592ccf152bb50986cb80e6a76c24857
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3046265/
  
Dropped by
MD5 256d0da4bcd96d9016aae187faa7abc5

Comments