MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab1e662e687e0293800456f457071b61b659f4b247583ecfcda1a6584a0b16dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 6

Intelligence 6 IOCs YARA 7 File information Comments

SHA256 hash:	ab1e662e687e0293800456f457071b61b659f4b247583ecfcda1a6584a0b16dd
SHA3-384 hash:	d832477c34054991ce4f5b1a459c4ee16a960d7d0a9573bf76e10a703f83efb7296f57b195073e53a992ced2c1708b92
SHA1 hash:	0b41256415d0061adcb12fe70249de05845c0cb6
MD5 hash:	370879b160b20c7ce2aa92976f4ee72f
humanhash:	lion-aspen-five-blue
File name:	370879b160b20c7ce2aa92976f4ee72f.dll
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	335'872 bytes
First seen:	2021-07-01 05:39:11 UTC
Last seen:	2021-07-01 07:03:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b431941c337157e834b54d99a8a6e679 (3 x CobaltStrike, 2 x IcedID, 1 x Metasploit)
ssdeep	6144:R3zkdg7QTwC2ixeNVlvKizcSNEGlS3Mq9cmJ5KiKgve9v0uWjk53A5hbfNy:Rx7QTx2icF3ISN/vqbStgLuWjkZADbVy
Threatray	899 similar samples on MalwareBazaar
TLSH	BB6423DE050E6BE4CD0DC47596253AE12401190DCB6C5BC912AEA2F32579E2AFDD3AF3
Reporter	abuse_ch
Tags:	CobaltStrike dll exe

Intelligence

File Origin

# of uploads :

# of downloads :

518

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

370879b160b20c7ce2aa92976f4ee72f.dll

Verdict:

No threats detected

Analysis date:

2021-07-01 05:41:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b0f87c0c-db2e-4185-be55-aa800ea0ede7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/169043/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.18217.25363.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e39f5581-508c-4098-aae4-bbcfdf9d5349

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab1e662e687e0293800456f457071b61b659f4b247583ecfcda1a6584a0b16dd/

Threat name:

Win64.Trojan.WinGGo

Status:

Malicious

First seen:

2021-06-25 16:37:11 UTC

AV detection:

12 of 29 (41.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmpgmltipybjhaaek32foby3mg3ft5fsi5md5t6nugtfqsqlc3oq._file

Verdict:

malicious

Label(s):

cobaltstrike

CobaltStrike

452363ce4a4695a985d5a6200de2b43692f7e0d4df11f0b30b42fc78a0cc9440

CobaltStrike

7e8a4bbdc12c7caefb486b28be1eebf0e35a8ad5f745aae17abbe7f40aff661f

CobaltStrike

84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252

CobaltStrike

8fabea95cbfe1da521dfcd7880ec3301a3a32175741680d8c1a8acacc0199eb7

CobaltStrike

a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11

CobaltStrike

bcbd4211108cf3c477de91d78383150e1d30f98d41c372770503eb259a762824

CobaltStrike

cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c

CobaltStrike

dbafbe9edfdac67a781756a6970a7341fd5401b0914fff7e3e8136cff0426fc5

CobaltStrike

f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d

CobaltStrike

+ 889 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:1580103814 backdoor trojan

Link:

https://tria.ge/reports/210701-t897z5jbka/

Behaviour

Modifies system certificate store

Blocklisted process makes network request

Cobaltstrike

Malware Config

C2 Extraction:

http://xudivum.com:443/zh.js

Unpacked files

SH256 hash:

ab1e662e687e0293800456f457071b61b659f4b247583ecfcda1a6584a0b16dd

MD5 hash:

370879b160b20c7ce2aa92976f4ee72f

SHA1 hash:

0b41256415d0061adcb12fe70249de05845c0cb6

Link:

https://www.unpac.me/results/77bd06a5-207f-4102-96ff-22cd2aaf2847/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/ab1e662e687e0293800456f457071b61b659f4b247583ecfcda1a6584a0b16dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	shad0w_beacon_16June Create hunting rule
Author:	SBousseaden
Description:	Shad0w beacon compressed
Reference:	https://github.com/bats3c/shad0w

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/169043/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample