MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65
SHA3-384 hash: 5f4a15f41bc5ba653cbfa9ed715f29bf9cf6e3b54d1daa399e83ca05014dd5ac9422213779a844e11d4540230847d7d1
SHA1 hash: 62964395bbc5fbee65dac62e0233ce8377674b2c
MD5 hash: ac581207ef80437a961f2ada3a47d763
humanhash: seventeen-fillet-charlie-michigan
File name:gwui.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:216'576 bytes
First seen:2022-02-08 23:13:53 UTC
Last seen:2022-02-09 00:54:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0901657c3106062e114d7b76e62555e7 (1 x CobaltStrike)
ssdeep 3072:CMO8u8qYeykBpKB9T6/ahhywcdYi2emGuwq4kNu2:1Buz3pKB9T6/Whyil5Guw
Threatray 505 similar samples on MalwareBazaar
TLSH T17B245B45336401F5E8679234CAE39A05E672B81B037563CF036886B67F377E19A3E366
Reporter malware_traffic
Tags:Cobalt Strike CobaltStrike dll exe


Avatar
malware_traffic
Cobalt Strike from Emotet infection on Tuesday 2022-02-08. Run method: regsvr32.exe /s [filename]

Intelligence

File Origin
# of uploads :
2
# of downloads :
592
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gwui.dll
Verdict:
No threats detected
Analysis date:
2022-02-08 23:05:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/917aa2ba-f9ef-48fa-8a37-ddba036c4ee5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.VHO.Trojan.Win64.Shelma.svh.21047.13432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6412/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6202f980c79b424d72093e7f/reports/9d4d3048-ae27-4c58-aa27-72351d3f21a6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c7b44a31-1e9a-41fd-8831-22434673cc76
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936475
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 568947 Sample: gwui.dll Startdate: 09/02/2022 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Yara detected CobaltStrike 2->32 34 3 other signatures 2->34 7 loaddll64.exe 7 2->7         started        process3 dnsIp4 24 foxofeli.com 7->24 10 cmd.exe 1 7->10         started        12 rundll32.exe 6 7->12         started        16 regsvr32.exe 6 7->16         started        process5 dnsIp6 18 rundll32.exe 6 10->18         started        38 System process connects to network (likely due to code injection or exploit) 12->38 26 foxofeli.com 23.82.140.91, 443, 49760, 49761 LEASEWEB-USA-MIA-11US United States 16->26 signatures7 process8 dnsIp9 22 foxofeli.com 18->22 36 System process connects to network (likely due to code injection or exploit) 18->36 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65/
Threat name:
Win64.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 23:14:11 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
2 of 43 (4.65%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
08888d37df54e4ce622f02921da0a03f98b34b7bb3d870f7263b30dfa8454244
CobaltStrike
18a44e52d98237aae86d2bc2050ccf4438514faf866812c1268d62356c19d6a9
CobaltStrike
8086e227c4b65c33d119a8d8793d71eb679391508df6caef94974a03d9acc310
CobaltStrike
984265f2a1df743a585b3ed1aa138080dbc0e27c66d2472d10a66c916739556c
CobaltStrike
a1e66473cfdd393d62a203c1f16190106881f1fe6a671081e232f6ec1ab191fa
CobaltStrike
e8c249cdd05e1d7366f263a0de0ff5f376eaaa13d29614f835b10f3cabacfcb3
CobaltStrike
ef52b91ce259be65a829fea2a25ce228100d34cff4200386419fe7c00fca893b
CobaltStrike
efbb94c8acce110b798713daabf4197e4d526a916501772b771faf1346d22fb0
CobaltStrike
fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507
CobaltStrike
+ 495 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/220208-27z1ragdhk/
Behaviour
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Cobaltstrike
Malware Config
C2 Extraction:
http://foxofeli.com:443/image-directory/dhl.jpg
Unpacked files
SH256 hash:
b6262f4aa06d0bf045d95e3fcbc142f1d1d98f053da5714e3570482f0cf93b65
MD5 hash:
ac581207ef80437a961f2ada3a47d763
SHA1 hash:
62964395bbc5fbee65dac62e0233ce8377674b2c
Link:
https://www.unpac.me/results/3adc8515-083e-4960-a863-0d71f435061f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/917aa2ba-f9ef-48fa-8a37-ddba036c4ee5
Joe
Joe Sandbox
https://www.joesandbox.com/analysis/936475
Cape
Cape
https://capesandbox.com/submit/status/238900/
  
Dropped by
Emotet

Comments