MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 638dabe5abd0593776c2644a7cf18d363fddfde3f93db92ab094dd2db9e6c69b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 638dabe5abd0593776c2644a7cf18d363fddfde3f93db92ab094dd2db9e6c69b
SHA3-384 hash: 0779acf920d226235e56983a6725871717a23b4ae2f14df0d9ceb1088193610c82f86c7f099d9cb0734bb9a1ffaa4bd9
SHA1 hash: e2ae1d6c79db2c03591be4ccdd4a68e69d6c5fe4
MD5 hash: 02ee4f8f288d211b19482c4e1628b941
humanhash: quebec-paris-papa-summer
File name:smbx.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:733'184 bytes
First seen:2021-04-06 05:41:52 UTC
Last seen:2021-04-06 07:09:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6584cb69d0f0e4464f09b52852646a65 (2 x CobaltStrike)
ssdeep 12288:0GexW8kLJ6rFMywqdLtIOAK9vRa1P7oHcNsIm5W:0GexW8kUEqdLtIOAyvS7oHgsbW
Threatray 260 similar samples on MalwareBazaar
TLSH 7BF41622AB579427EA51F0F0F782B7F1B79459231B2E70DE5387187B04229B0FF26661
Reporter Anonymous
Tags:CobaltStrike IcedID

Intelligence

File Origin
# of uploads :
2
# of downloads :
688
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
smbx.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-06 05:43:15 UTC
Tags:
installer
Link:
https://app.any.run/tasks/6f37e437-41e7-46d8-a9e3-b4e9642f5312

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132566/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.247.15551.13949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667132
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/638dabe5abd0593776c2644a7cf18d363fddfde3f93db92ab094dd2db9e6c69b/
Threat name:
Win32.Trojan.Sheljector
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 05:38:39 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mog2xznl2bmto5wcmrfhz4mngy7537pd7e63skvqstos3opgy2nq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
2f8571d423e2af665fecf616c284491982acd4d3ab59a4ceb0790fa713266376
CobaltStrike
35b6d770bb5d9cdf686f07226c67de969c21648af598ee58036383a606802327
CobaltStrike
6aa7014299e01ce49789a7525d0eb3d4d685c220cae8ed4a6fa135c10d327762
CobaltStrike
6afab1df3de00b1200198e692eae6dc36373c310cf4102ecacc5c6e8ff89a7e8
CobaltStrike
7f3c8bf4b5d1cc28beaf09f5f31b8fad2d353b12484185097fdf8bf86fc55e30
CobaltStrike
8af8a2aa6d8db7a9bf93620814017b5296713963b74aba38eb7a35e62dcb7d3e
CobaltStrike
b1e6a236f66273f314961b8b6731fe76df76d0a900b3561dcf85447ef73041d4
CobaltStrike
ba1e40a772acdd71dc1e47b4f9ab2767868fd959f072a55c00da383a590c160f
CobaltStrike
cc2c6d177b60a3ec0aec1d38ba1f7942293ac85e688182f545720a952b511a97
CobaltStrike
f4ca63aeb4e3246c5d923942497d650bc3920c9fbc78a330ecf9d7db67e0cb8f
CobaltStrike
+ 250 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/210406-7br4mw6nrj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Cobaltstrike
Unpacked files
SH256 hash:
284718a007eaaca786ff0611181433071d45f603e121fc99226dfccff69bdbed
MD5 hash:
dc138d5f1678451478a963ed41ef6561
SHA1 hash:
f0dfbb10fac71edc106e5899db2d2e228a93a233
Detections:
win_cobalt_strike_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d199513-9b77-48fc-9188-f629872d23e0/
SH256 hash:
0ec106c6161e956405047aa5348318e4c4ed57d84dc28695d778209d505c0a7b
MD5 hash:
203ebdc2484432eb48d542a6bacf0a0d
SHA1 hash:
20aff641df102d44ed5198359b92a2ab4f9eb317
Link:
https://www.unpac.me/results/4d199513-9b77-48fc-9188-f629872d23e0/
SH256 hash:
638dabe5abd0593776c2644a7cf18d363fddfde3f93db92ab094dd2db9e6c69b
MD5 hash:
02ee4f8f288d211b19482c4e1628b941
SHA1 hash:
e2ae1d6c79db2c03591be4ccdd4a68e69d6c5fe4
Link:
https://www.unpac.me/results/4d199513-9b77-48fc-9188-f629872d23e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/638dabe5abd0593776c2644a7cf18d363fddfde3f93db92ab094dd2db9e6c69b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CobaltStrikeBeacon
Create hunting rule
Author:enzo
Description:Cobalt Strike Beacon Payload
Rule name:Trojan_Raw_Generic_4
Create hunting rule
Author:FireEye
Reference:https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
Rule name:win_cobalt_strike_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 638dabe5abd0593776c2644a7cf18d363fddfde3f93db92ab094dd2db9e6c69b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/132566/

Comments