MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e4e6f02b0d0f4a8864b756c0c2f4e91ba4fff73e823680bb2927a665756f73c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e4e6f02b0d0f4a8864b756c0c2f4e91ba4fff73e823680bb2927a665756f73c
SHA3-384 hash: a8effc8a28450c56cd4e46d5c72d32ce936451abd81d694ac4ddff8b771eb128414b362c1e53def30b0775e2c685ecfb
SHA1 hash: c72d92f631769ce206383c223e4a2f5dfbbbbb6d
MD5 hash: 85f3329783b466475c0423d0de8485a9
humanhash: carolina-cola-speaker-winner
File name:SecuriteInfo.com.W64.Emotet.EHD.genEldorado.16648.230
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'004'159 bytes
First seen:2022-03-12 05:34:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a62a4e55e145a922e3a860d82c01e587 (13 x CobaltStrike)
ssdeep 24576:p1PghBzKWN1zjpjLJ1RxfawzZA2UDF/WYVO0dp:pVax1zBLnfNZA2UDgYE0n
Threatray 1'507 similar samples on MalwareBazaar
TLSH T16F256B0BF6B842E5C0B6C17E8593966AF7B2B851473083C752919B1E5F377E4AA3E301
File icon (PE):PE icon
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter SecuriteInfoCom
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
624
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249776/
Detection(s):
SecuriteInfo.com.W64.Emotet.EHD.genEldorado.16648.230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Launching cmd.exe command interpreter
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8972/overview
Behaviour
MalwareBazaar
CursorPosition
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobalt emotet expand.exe explorer.exe greyware keylogger overlay packed rundll32.exe shell32.dll
Link:
https://www.filescan.io/uploads/622c3109b94fb38cb46367fd/reports/9ca2b37e-98be-4c66-b018-26a973ac62d4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc674a5d-7f05-4f1a-b22f-d3894558a84d
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955385
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 587862 Sample: SecuriteInfo.com.W64.Emotet... Startdate: 12/03/2022 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 3 other signatures 2->46 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        15 cmd.exe 9->15         started        17 cmd.exe 1 9->17         started        dnsIp5 36 benokij.com 139.60.161.165, 443, 49768, 49769 HOSTKEY-USAUS United States 11->36 50 System process connects to network (likely due to code injection or exploit) 11->50 52 Queues an APC in another process (thread injection) 11->52 19 rundll32.exe 15->19         started        23 conhost.exe 15->23         started        25 rundll32.exe 17->25         started        signatures6 process7 dnsIp8 34 benokij.com 19->34 48 System process connects to network (likely due to code injection or exploit) 19->48 27 cmd.exe 1 25->27         started        signatures9 process10 process11 29 rundll32.exe 27->29         started        32 conhost.exe 27->32         started        dnsIp12 38 benokij.com 29->38
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e4e6f02b0d0f4a8864b756c0c2f4e91ba4fff73e823680bb2927a665756f73c/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-03-12 05:35:13 UTC
File Type:
PE+ (Dll)
Extracted files:
68
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
00906f1cf709f6591880f952da59f41a3019944d23824e000592fe7de035c446
CobaltStrike
22c034ac5a7ac3b628cbb37b575ac528030c961490e41bbe9435319fde8db07b
CobaltStrike
2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c
CobaltStrike
48951d50abf8359aad5a14d14d4bd4f442ce55f21da1e1f8bd4116be41fa5daf
CobaltStrike
8438bfbb9c978de4f342a3ed19551f735343a9c1ed0c8610a332a83918cb5985
CobaltStrike
954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e
CobaltStrike
971c693bc67cf7b4b9655282b815bc1ba10ee937f1736ba1ef5fdb7aea392f6c
CobaltStrike
9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545
CobaltStrike
bb4efe96748fcc28b827fc297d060c3ab32053cfb8ea506f8c97000debd22121
CobaltStrike
d1d0c9d1ee7b800d491c9fb3fc94b93e5c59d903a4debb092846c46481077ae0
CobaltStrike
+ 1'497 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor suricata trojan
Link:
https://tria.ge/reports/220312-f91t6sbcgk/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Cobaltstrike
suricata: ET MALWARE Cobalt Strike Beacon Activity (GET)
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
Malware Config
C2 Extraction:
http://benokij.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
3e4e6f02b0d0f4a8864b756c0c2f4e91ba4fff73e823680bb2927a665756f73c
MD5 hash:
85f3329783b466475c0423d0de8485a9
SHA1 hash:
c72d92f631769ce206383c223e4a2f5dfbbbbb6d
Link:
https://www.unpac.me/results/38ef6118-8a4b-4574-b358-1b05ef443fc6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e4e6f02b0d0f4a8864b756c0c2f4e91ba4fff73e823680bb2927a665756f73c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249776/

Comments