MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 924be86257276507d117219a847223fc7eade64a5788f74a0d174a59ae20e0ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 924be86257276507d117219a847223fc7eade64a5788f74a0d174a59ae20e0ab
SHA3-384 hash: eea333e3d3816c2d9e9c0f46ee55747725ec08c8ca6d496db6d1661de1b6dba18931b6866cac3e76574a3aae05b242c8
SHA1 hash: c45e10d6ca4735f674aa71abbc3db47d51e57557
MD5 hash: 31c19912caf27a837899988b2a60417e
humanhash: failed-glucose-butter-social
File name:31c19912caf27a837899988b2a60417e.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'004'291 bytes
First seen:2022-04-14 19:58:06 UTC
Last seen:2022-04-20 10:21:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a62a4e55e145a922e3a860d82c01e587 (13 x CobaltStrike)
ssdeep 24576:p1PghBzKWN1zjpjLJ1RxfawzZA2UDF/WYVO0dd:pVax1zBLnfNZA2UDgYE0r
Threatray 1'568 similar samples on MalwareBazaar
TLSH T1E4256B0BF6B842E5C0B6C17E8593966AF7B2B851473083C752919B1E5F377E4AA3E301
TrID 66.5% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter abuse_ch
Tags:CobaltStrike dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
738
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
31c19912caf27a837899988b2a60417e.dll
Verdict:
No threats detected
Analysis date:
2022-04-14 20:43:47 UTC
Tags:
installer
Link:
https://app.any.run/tasks/13863c66-0437-4283-8c9e-c3053f95a326

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263856/
Detection(s):
Win.Malware.Cobaltstrike-9941357-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Launching a process
DNS request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13918/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CursorPosition
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand.exe explorer.exe greyware keylogger overlay packed rundll32.exe shell32.dll
Link:
https://www.filescan.io/uploads/62587d1cffe27d5119d1bb52/reports/66d5fdf7-5247-4ba3-9477-ae57ff6ba4e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe021d87-8516-446d-9ffd-dee0c9a84fd9
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977155
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609644 Sample: mAEx7XiUPL.dll Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 4 other signatures 2->48 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        15 cmd.exe 9->15         started        17 cmd.exe 1 9->17         started        dnsIp5 38 benokij.com 139.60.161.165, 443, 49715, 49716 HOSTKEY-USAUS United States 11->38 52 System process connects to network (likely due to code injection or exploit) 11->52 54 Queues an APC in another process (thread injection) 11->54 19 rundll32.exe 15->19         started        23 conhost.exe 15->23         started        25 rundll32.exe 17->25         started        signatures6 process7 dnsIp8 34 benokij.com 19->34 36 192.168.2.1 unknown unknown 19->36 50 System process connects to network (likely due to code injection or exploit) 19->50 27 cmd.exe 1 25->27         started        signatures9 process10 process11 29 rundll32.exe 27->29         started        32 conhost.exe 27->32         started        dnsIp12 40 benokij.com 29->40
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/924be86257276507d117219a847223fc7eade64a5788f74a0d174a59ae20e0ab/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 19:59:12 UTC
File Type:
PE+ (Dll)
Extracted files:
68
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjf6qysxe5sqpuixegnii4rd7r7k3zskk6eposqnc5fftlra4cvq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
396cb1296a9cd34bd0da4631fad97884645f2098e93772d5caad45fde23921c2
CobaltStrike
3e4e6f02b0d0f4a8864b756c0c2f4e91ba4fff73e823680bb2927a665756f73c
CobaltStrike
40c516a67062e113e4d9211890b926bc04a76624ab12379485014d4f5e987538
CobaltStrike
571c4f83d6f36a6a4e46e0015609200f66bb7943430177c9fd91a447bd33289c
CobaltStrike
5e2a11b6d44e66396f0ee23ead9dc4ccb4eda0664bbc097088bfa8fcdb200335
CobaltStrike
929fb8f4c028bab8fcb5b1f89163abbfa088fadc9555efb5f6508e09d90d6654
CobaltStrike
df6d08c7983f7d14277502cea9a15fbeaf0a729ba3e7a3391cef0bb0975ac49b
CobaltStrike
+ 1'558 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/220414-yqdjmsghb2/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Cobaltstrike
Malware Config
C2 Extraction:
http://benokij.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
924be86257276507d117219a847223fc7eade64a5788f74a0d174a59ae20e0ab
MD5 hash:
31c19912caf27a837899988b2a60417e
SHA1 hash:
c45e10d6ca4735f674aa71abbc3db47d51e57557
Link:
https://www.unpac.me/results/9c52fea1-e3f5-40dd-8dc8-3b92a4e73e4e/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/924be8625727/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/924be86257276507d117219a847223fc7eade64a5788f74a0d174a59ae20e0ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe 924be86257276507d117219a847223fc7eade64a5788f74a0d174a59ae20e0ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2090916/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/263856/

Comments