MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59e08d42ce495f290c4dfd7be9614f786cdfed3ebdd7d6e68accbb630c051083. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	59e08d42ce495f290c4dfd7be9614f786cdfed3ebdd7d6e68accbb630c051083
SHA3-384 hash:	7bd4d6d4752bccbbfc9f1cdba3f28732d3576e7eacebe0f2bd33f59a5e854bf1718f9e7ae35f8f5e3a367b5cff7902ae
SHA1 hash:	01dbd9af94ee45729c07a059d172fc8a29f9aec1
MD5 hash:	ffeb8e4150061e66092e9bbb513167f7
humanhash:	may-leopard-edward-alpha
File name:	exploit.docx
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	62'286 bytes
First seen:	2021-11-06 02:24:21 UTC
Last seen:	Never
File type:	docx
MIME type:	application/octet-stream
ssdeep	1536:cQvlIz3zXETkheH63IlUtEP9bB3Lv0jjaqmHZVPaWPvU16ftB89m+:cSK3zXETxa3IgCbZLv0AHZRRM43qm+
TLSH	T19853F12CFD46B55EC66298BC52DA91E0F40C86C3E6D1C42F6424FADCBB012E756F1B86
Reporter	JAMESWT_WT
Tags:	1 CobaltStrike docx xiaodi8

Intelligence

File Origin

# of uploads :

# of downloads :

734

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

exploit.docx

Verdict:

Malicious activity

Analysis date:

2021-11-06 02:22:21 UTC

Tags:

generated-doc

Link:

https://app.any.run/tasks/efe4fa3f-3c6e-4a75-944c-be17add27b73

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Exploit.Xml.CVE-2017-0199.equmby.8113.23950.UNOFFICIAL

MiscreantPunch.Suspicious.RemoteTemplateCall.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

OOXML Word File

Link:

https://app.docguard.net/59e08d42ce495f290c4dfd7be9614f786cdfed3ebdd7d6e68accbb630c051083/results/dashboard

Payload URLs

URL

File name

http://www.xiaodi8.com/1.dotm?raw=ture

settings.xml.rels

Verdict:

Unknown

Threat level:

0/10

Confidence:

67%

Tags:

CVE-2017-0199 exploit

Link:

https://www.filescan.io/uploads/6185e7802084b424af0b5bca/reports/86239557-a703-477c-9ca1-eea54ba097bd/overview

Result

Threat name:

Metasploit

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/884424

Signature

C2 URLs / IPs found in malware configuration

Contains an external reference to another file

Creates a thread in another existing process (thread injection)

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Document exploit detected (process start blacklist hit)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious Rundll32 Without Any CommandLine Params

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59e08d42ce495f290c4dfd7be9614f786cdfed3ebdd7d6e68accbb630c051083/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lhqi2qwojfpssdcn7v56sykppbwn73j6xxl5nzukzs5wgdafccbq._file

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:metasploit backdoor trojan

Link:

https://tria.ge/reports/211106-cwat2saebl/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Abuses OpenXML format to download file from external location

Blocklisted process makes network request

MetaSploit

Process spawned unexpected child process

Malware Config

C2 Extraction:

http://47.94.236.117:9999/aDBu

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.99

Link:

https://yomi.yoroi.company/submissions/59e08d42ce495f290c4dfd7be9614f786cdfed3ebdd7d6e68accbb630c051083

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample