MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e1d36766dfab3b000777a6c8a7742e3f454eb9270e835181cfb3ee04e8a1e62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e1d36766dfab3b000777a6c8a7742e3f454eb9270e835181cfb3ee04e8a1e62
SHA3-384 hash: a039e6a3255a84d536eb6ea2e54d24d046a084444a50a95135b5bfc16bd25df8f528bbf41beeed6fe1c73fc1aa3a217a
SHA1 hash: d31d094799cfe75b24e4d89d7131d62adc5aca74
MD5 hash: 8f42a7fb558edae380e2a8c4f4902b52
humanhash: winter-eleven-juliet-maine
File name:lfuaqwpuz.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:528'896 bytes
First seen:2022-03-24 14:55:35 UTC
Last seen:2022-03-24 16:48:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2624c58336cbbd5a419b179231b2e65d (1 x CobaltStrike)
ssdeep 12288:999Qw595PyPAqCH3AtkzdJen5irPfjE15C:999TTPywQtkPqArjEK
Threatray 1'841 similar samples on MalwareBazaar
TLSH T148B4E007B7EA52EBD5B6913991432512E77234010335A7EB83A18B6F4F677D08E3BB60
Reporter malware_traffic
Tags:Beacon Cobalt Strike CobaltStrike exe


Avatar
malware_traffic
Cobalt Strike dropped by an Emotet epoch4 infection on 2022-03-24
run method: regsvr32.exe [filename]

Intelligence

File Origin
# of uploads :
2
# of downloads :
650
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lfuaqwpuz.dll
Verdict:
Malicious activity
Analysis date:
2022-03-24 14:52:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e75654ca-a1f2-4d7f-939e-81d839d68ab2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257197/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.1779.30387.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11158/overview
Behaviour
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobalt greyware
Link:
https://www.filescan.io/uploads/623c8686b94fb38cb4e36d30/reports/6e46955e-88a4-413e-88c0-da4342e54820/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Commodity Loader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/339efa92-97e1-4ee2-8c5d-b2a3e115ea46
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/963810
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596290 Sample: lfuaqwpuz.dll Startdate: 24/03/2022 Architecture: WINDOWS Score: 52 19 Multi AV Scanner detection for submitted file 2->19 21 Sigma detected: Suspicious Call by Ordinal 2->21 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 2 other processes 7->15 process5 17 rundll32.exe 9->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e1d36766dfab3b000777a6c8a7742e3f454eb9270e835181cfb3ee04e8a1e62/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 14:56:11 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e
CobaltStrike
14d35d94f1423f8611dd77fb5da29a006a7a59cc9ccd549c46cba36c017b1d2f
CobaltStrike
15ad6630505f5276285e80205b40ebd4a3e975d97b93c390f39c67aad799b6de
CobaltStrike
2825b1fcb91614a08b7c2338e54ee1506915c159bd6a363de7b77c23dd6ea7e0
CobaltStrike
73aba991054b1dc419e35520c2ce41dc263ff402bcbbdcbe1d9f31e50937a88e
CobaltStrike
97fbb35c5073af391068712aa31992c2d6d174c8c297baef188d687fe6f4fd62
CobaltStrike
cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58
CobaltStrike
e7e2bc2c52d0b57ed7a2d11fa822ef5520559876b7c55f3f38cf8ef62d6ee544
CobaltStrike
+ 1'831 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/220324-sa1rcafcbr/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Cobaltstrike
Unpacked files
SH256 hash:
3e1d36766dfab3b000777a6c8a7742e3f454eb9270e835181cfb3ee04e8a1e62
MD5 hash:
8f42a7fb558edae380e2a8c4f4902b52
SHA1 hash:
d31d094799cfe75b24e4d89d7131d62adc5aca74
Link:
https://www.unpac.me/results/2fc49dad-bf9f-47ad-bdf4-a150bcd21093/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e1d36766dfab3b000777a6c8a7742e3f454eb9270e835181cfb3ee04e8a1e62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
Emotet
Cape
Cape
https://www.capesandbox.com/analysis/257197/

Comments