MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1e3363e29f3faee2821b73dae25074609054a119a8de733b14eca7460bbb87b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1e3363e29f3faee2821b73dae25074609054a119a8de733b14eca7460bbb87b
SHA3-384 hash: e7a5d4e65f01e212f420761ccee05d780919eece61f510ded56111389797712bf47dd930c6acd9819113190cc6d254d5
SHA1 hash: 67b4d3f1d763f6537e5ef620c70e2fe37d60328b
MD5 hash: b237219cd61c47fe738494c2854ca382
humanhash: mars-floor-mountain-happy
File name:test.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:180'736 bytes
First seen:2021-04-10 01:24:10 UTC
Last seen:2021-04-10 01:52:11 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e9a2c4fc226607b721cfebfda689e7dd (2 x CobaltStrike)
ssdeep 3072:aWHcnSBUHTm3uNVpuiCo+J63n86PdA/u2HqNkdDfJt/xAg0FujqoLKoOx:a3Sezm+NVEiNql6V8u2HXfLAObOoOx
Threatray 418 similar samples on MalwareBazaar
TLSH 7C047D0074D1C836E5BE163804B59E664BFEBC12CB649EEBA7948D6E4F303C09E71A75
Reporter Anonymous
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
2
# of downloads :
634
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133467/
Detection(s):
SecuriteInfo.com.DeepScan.Generic.Exploit.Shellcode.1.54C528B2.25218.314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/409052b3-6ff4-4ce5-88c8-18d45da59d7f
Result
Threat name:
CobaltStrike Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/671897
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384895 Sample: test.dll Startdate: 10/04/2021 Architecture: WINDOWS Score: 96 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 3 other signatures 2->44 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 12 7->9         started        13 rundll32.exe 12 7->13         started        15 cmd.exe 1 7->15         started        dnsIp5 26 42.202.154.30, 49727, 49731, 49733 CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDali China 9->26 28 58.216.107.24, 49752, 49753, 49754 CHINANET-JIANGSU-CHANGZHOU-IDCChinaNetJiangsuChangzhouID China 9->28 36 2 other IPs or domains 9->36 46 System process connects to network (likely due to code injection or exploit) 9->46 30 121.51.32.209, 49711, 49712, 49714 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 13->30 32 1.180.204.161, 49709, 49710, 49713 CHINANET-BACKBONENo31Jin-rongStreetCN China 13->32 34 60.167.222.35, 49744, 49746, 49749 CHINANET-BACKBONENo31Jin-rongStreetCN China 13->34 48 Contains functionality to inject threads in other processes 13->48 17 rundll32.exe 12 15->17         started        signatures6 process7 dnsIp8 20 223.111.108.40, 49724, 49725, 49726 CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN China 17->20 22 122.246.6.14, 49715, 49716, 49717 CHINATELECOM-ZHEJIANG-NINGBO-IDCNINGBOZHEJIANGProvince China 17->22 24 2 other IPs or domains 17->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1e3363e29f3faee2821b73dae25074609054a119a8de733b14eca7460bbb87b/
Threat name:
Win32.Trojan.Cometer
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 07:50:42 UTC
AV detection:
7 of 48 (14.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhrtmprj6p5o4kbbw4624jihiyeqksqrtkg6om5rj3fhiyf3xb5q._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
0c4cec40fce3e0e360abaab4009f10b3d709724f074883304b004c46f99c218e
CobaltStrike
0d10ff57bd06aeacd5d947019399ff2635a5b42fab0be39014c945a7588826d0
CobaltStrike
14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f
CobaltStrike
4970f05913aa3f02abc082a82fbf8cf2fc36995b898786cde396b93dce74b859
CobaltStrike
972ce01537b30f5f6fb618365c91c920c3ac9b58eba0ee5785b05ce203fc90db
CobaltStrike
a3af3d7e825daeffc05e34a784d686bb9f346d48a92c060e1e901c644398d5d7
CobaltStrike
b0c5cdfc00ce2458d2056dd93605fb06661fe2e3911b411a10f113b5cf1d494d
CobaltStrike
b78abf1efa2b5cc5cb333314287095a4f424de025216b302a097945d73fbab77
CobaltStrike
ed324d9ae6fff04a11e230c45999de1deac96cae2dce42dfb1661413fb00c8d8
CobaltStrike
fba8817602cb7dae175d9fec0900fbfd3e097aae4d32befaecd87d6e3fdb7412
CobaltStrike
+ 408 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike family:metasploit backdoor trojan
Link:
https://tria.ge/reports/210410-qsjmrpwtwx/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Cobaltstrike
MetaSploit
Malware Config
C2 Extraction:
http://1.180.204.161:80/css/_utf.gif?id=18721
http://121.51.32.209:80/news/new/
http://122.246.6.14:80/news/new/
http://180.96.32.89:80/news/new/
http://42.81.125.27:80/news/new/
http://223.111.108.40:80/news/new/
http://42.202.154.30:80/news/new/
http://27.221.54.169:80/news/new/
http://60.167.222.35:80/news/new/
http://58.216.107.24:80/news/new/
http://60.174.59.174:80/news/new/
Unpacked files
SH256 hash:
a1e3363e29f3faee2821b73dae25074609054a119a8de733b14eca7460bbb87b
MD5 hash:
b237219cd61c47fe738494c2854ca382
SHA1 hash:
67b4d3f1d763f6537e5ef620c70e2fe37d60328b
Link:
https://www.unpac.me/results/f7247449-9f1b-4f66-bdb8-b6967bacf581/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Exploit
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1e3363e29f3faee2821b73dae25074609054a119a8de733b14eca7460bbb87b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CobaltStrike

DLL dll a1e3363e29f3faee2821b73dae25074609054a119a8de733b14eca7460bbb87b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133467/

Comments