MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab1da8377cc00a708cb0430c6c1ab1963a3a6866534b1b515c409925d660ae56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	ab1da8377cc00a708cb0430c6c1ab1963a3a6866534b1b515c409925d660ae56
SHA3-384 hash:	9739cc795a576c0516af9f5e44d9b4e33f826b6fe7b3f59a6cd9680b0a1f98475f0222d93b5e0c682d08e6b6c84ea11f
SHA1 hash:	4f7ef5cde119442a6f8a470bbe2510a411bf6ebf
MD5 hash:	91eb85e710d4f71c5fd80d8a7f33756c
humanhash:	violet-carpet-helium-video
File name:	mpsvc.dll
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	51'200 bytes
First seen:	2020-08-11 17:13:27 UTC
Last seen:	2020-08-11 17:53:26 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	dec27dcaa223050135bbf27277f407f4 (1 x CobaltStrike)
ssdeep	768:jfd7+cz9/Anm7NHSsbj/zHbPzNhQCYkkEAUEDvnCBWMPFLf81e:jf5P7l/zHHzkkWEPFz81e
Threatray	116 similar samples on MalwareBazaar
TLSH	9E336A1172A0C073D16A55305D79D662AEAF7C119BF4808B3FA9037E6FB12D0AB38367
Reporter	James_inthe_box
Tags:	dll

Intelligence

File Origin

# of uploads :

2

# of downloads :

62

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/43634/

Detection(s):

SecuriteInfo.com.Gen.NN.ZedlaF.34152.dq4@a8dNnQ.12935.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/419838

Signature

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab1da8377cc00a708cb0430c6c1ab1963a3a6866534b1b515c409925d660ae56/

Threat name:

Win32.Trojan.Plugx

Status:

Malicious

First seen:

2020-08-11 17:13:21 UTC

File Type:

PE (Dll)

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

203f753b4e81e49247f62c3f59e6744e6b7b3b0a399ebe7118b0fcc23c6ebf22

2bce6eb2839569ba077e24468259aa2678677275c632a0d276dcb14566cc6fcf

39d7474b63ada6e1a6d60bf32680e06a5265f88439942a37f8be3f668b78c2b2

5e627b14e776856c2904f622b43da929fbc41c1d0b753cd0f98913d8eeaf3544

888750cee6858ec2c6131628caa562be26b1c65ecaeff4addcbf73a456c99517

951cf534559a88818ccf0aa18e0b771a9e8159f40ecba9c58ceb5ba720859af8

c83163a6e61b2bf3852b426f8ccccac4044d57b2b4514125624632e836f51660

d98c29847ea4a1acbc30f95ede18759d9f2ed343dd99d85a542efdf23fd497e5

f15491b940bdf60bc4e906b0c333ea3f7a7f38079a906b80a212901eb5ce0152

fde61e7e31794b93f99bc6e1a99c64debde2e6f982e7f385a7a6b1be41feb14c

+ 106 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200811-ks1zdz5hsn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of WriteProcessMemory

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Plugx

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ab1da8377cc00a708cb0430c6c1ab1963a3a6866534b1b515c409925d660ae56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/43634/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample