MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b156d3fddec3ec4b06b17703426bdd76896e70784eb3c29d085d385b53ef6f09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b156d3fddec3ec4b06b17703426bdd76896e70784eb3c29d085d385b53ef6f09
SHA3-384 hash: 6b755033136a631cb35f70df5992207a3571cd5823ded02ac8ea80af63d61236d284b2a1a6fec3a2d059ca0af0af1dd9
SHA1 hash: 8e484470b1bb95d51a625fb31bfc8877655c298e
MD5 hash: dd28e93fa65737390d7f1553e0ce8bb8
humanhash: kitten-failed-fourteen-vermont
File name:jtyhssdclljc.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:1'454'080 bytes
First seen:2022-03-09 18:26:37 UTC
Last seen:2022-03-09 19:47:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4d1207e63433210521fa12525a70925 (1 x CobaltStrike)
ssdeep 24576:5tu1+d8K4xB7ADvwnLXThiq1W4epDUV+u/eND1zvPn58Lq:5Rd8K4x2Dvwn3h/AAV+LbOL
Threatray 1'515 similar samples on MalwareBazaar
TLSH T151656D7D8AA217A4D47AD53098221D038AF1FDB111B06EE3C7D9765ACE3F7E25234B09
Reporter malware_traffic
Tags:Beacon Cobalt Strike CobaltStrike exe


Avatar
malware_traffic
Cobalt Strike dropped by Emotet infection on 2022-03-09

Intelligence

File Origin
# of uploads :
2
# of downloads :
643
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
jtyhssdclljc.dll
Verdict:
No threats detected
Analysis date:
2022-03-09 18:06:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4630d3b6-9b47-4083-bab7-9fdceb76f533

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248840/
Detection(s):
SecuriteInfo.com.Trojan.Heur.02016022.24740.28181.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8792/overview
Behaviour
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware packed warp
Link:
https://www.filescan.io/uploads/6228f17bb94fb38cb449da29/reports/7a5eadf2-090a-4105-b574-59356fbfa512/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a83fee3f-5ae7-4fa4-bd4c-97d77154a443
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/953545
Signature
Contain functionality to detect virtual machines
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 586022 Sample: jtyhssdclljc.dll Startdate: 09/03/2022 Architecture: WINDOWS Score: 48 21 Sigma detected: Suspicious Call by Ordinal 2->21 7 loaddll64.exe 1 2->7         started        process3 signatures4 23 Contain functionality to detect virtual machines 7->23 10 regsvr32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 2 other processes 7->17 process5 signatures6 25 Contain functionality to detect virtual machines 10->25 19 rundll32.exe 13->19         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b156d3fddec3ec4b06b17703426bdd76896e70784eb3c29d085d385b53ef6f09/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 18:27:12 UTC
File Type:
PE+ (Dll)
Extracted files:
6
AV detection:
5 of 27 (18.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wflnh7o6ypwewbvro4bue265o2ew44dyj2z4fhiilu4fwu7pn4eq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
1196cd7aca5d5576e3d142339e6d7fd9325f4210c6ae196065d766a1468da08c
CobaltStrike
22c034ac5a7ac3b628cbb37b575ac528030c961490e41bbe9435319fde8db07b
CobaltStrike
2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c
CobaltStrike
4dd194d5f8fb499deaa1294d5872b4076df6260a29284a17fe11032d094856c4
CobaltStrike
5b8003ff376c2b14085ccb6a80a2ad413cd7c66edea216cb72890fb7dc70d5c0
CobaltStrike
80ceb4bfb2275af2edd90f25d428fae22686ed75b7c5d9cc5fc003866021a712
CobaltStrike
954944ef6cdd1474ed35f27b790a7914156672cc7a1afbcc3214ccc1855ff12e
CobaltStrike
d1d0c9d1ee7b800d491c9fb3fc94b93e5c59d903a4debb092846c46481077ae0
CobaltStrike
ea27ef027a10c66b256aceb6e3c4a970d7076b3d3571885ab8e2f2a19c21aa97
CobaltStrike
+ 1'505 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220309-w3rkxsbde6/
Unpacked files
SH256 hash:
b156d3fddec3ec4b06b17703426bdd76896e70784eb3c29d085d385b53ef6f09
MD5 hash:
dd28e93fa65737390d7f1553e0ce8bb8
SHA1 hash:
8e484470b1bb95d51a625fb31bfc8877655c298e
Link:
https://www.unpac.me/results/193b3436-baa5-4d66-821b-b85e9656d0d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b156d3fddec3ec4b06b17703426bdd76896e70784eb3c29d085d385b53ef6f09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/4630d3b6-9b47-4083-bab7-9fdceb76f533
  
Dropped by
Emotet
Cape
Cape
https://www.capesandbox.com/analysis/248840/

Comments