MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be9ae4f35c971037fd5762105e3f5bb6657fc27e37a42663878fc954ddfaeff5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be9ae4f35c971037fd5762105e3f5bb6657fc27e37a42663878fc954ddfaeff5
SHA3-384 hash: 9cbeb4f5e2157df9734814978fbed0aef8a8d85e760e033dc31fc9c1b863329d6c7384a8c29e3dff3129e247134fb4ad
SHA1 hash: 06666db64391446d83b58542b8a896e30ed8fbdb
MD5 hash: 8a776cec7e08a293bd5497251bcf14a5
humanhash: three-glucose-kentucky-oscar
File name:456.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:168'448 bytes
First seen:2022-10-12 15:00:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 26c9f11fada876ecc23eb888e3090329 (2 x CobaltStrike)
ssdeep 3072:Tzr+p8AU9/uTKkmbiIzTI34dWNxAZE242DrDaU8LjUUWlQQtsYf:TcKmLQTIJZerDaxgWNY
Threatray 1'964 similar samples on MalwareBazaar
TLSH T172F38D07E2D542ABE4738974C8834616F7B5782517119F6F4368833A3F17B60AF3AB29
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter malware_traffic
Tags:Beacon Cobalt Strike CobaltStrike exe


Avatar
malware_traffic
Run method: regsvr32.exe [filename]

Intelligence

File Origin
# of uploads :
1
# of downloads :
495
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
456.dll
Verdict:
Malicious activity
Analysis date:
2022-10-12 14:57:47 UTC
Tags:
cobalt
Link:
https://app.any.run/tasks/d91e6b2e-c28f-49d5-812a-5a7e78e1d707

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319428/
Detection(s):
SecuriteInfo.com.W64.Kryptik.GRC.gen.Eldorado.17652.1214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6346d67784a686684c9a8074/reports/94df6fbb-585a-4695-8564-6dbda404bc86/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/65a65e04-a6e5-429e-b73a-276f3c43d4a5
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1088899
Signature
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 721503 Sample: 456.dll.dll Startdate: 12/10/2022 Architecture: WINDOWS Score: 92 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected CobaltStrike 2->39 41 C2 URLs / IPs found in malware configuration 2->41 8 loaddll64.exe 7 2->8         started        process3 dnsIp4 29 tagujog.com 8->29 11 rundll32.exe 6 8->11         started        15 cmd.exe 1 8->15         started        17 regsvr32.exe 6 8->17         started        19 3 other processes 8->19 process5 dnsIp6 45 System process connects to network (likely due to code injection or exploit) 11->45 21 rundll32.exe 15->21         started        33 tagujog.com 23.83.133.97, 443, 49703, 49704 LEASEWEB-USA-PHX-11US United States 17->33 24 WerFault.exe 9 19->24         started        signatures7 process8 signatures9 43 System process connects to network (likely due to code injection or exploit) 21->43 26 WerFault.exe 20 9 21->26         started        process10 dnsIp11 31 192.168.2.1 unknown unknown 26->31
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be9ae4f35c971037fd5762105e3f5bb6657fc27e37a42663878fc954ddfaeff5/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 15:00:08 UTC
File Type:
PE+ (Dll)
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2noj424s4idp7kxmiif4p23wzsx7qt6g6scmy4hr7evjxp2572q._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
08ec3f13e8637a08dd763af6ccb46ff8516bc46efaacb1e5f052ada634a90c0e
CobaltStrike
5efe564a2c779adebab8e664d524a0cfd026c8ab3a57527bd1d821245ffc2a8c
CobaltStrike
74ace0111970edf84a676c96b0c8180b2f2f6bc0a3f8e7bd1db4c9505e7e1d17
CobaltStrike
9122991758a93293f0ec4db1de3a04927f583b08751a553d235d5fdc1b254bd4
CobaltStrike
936861ea91e37611908b21310d461eb7435f2912e9a7576cee22ce22342d659b
CobaltStrike
99be525b748064edaa30caa911b1122187139c463ad29068c3ee5cf69eed774e
CobaltStrike
a9c4eafcff0567c68919c93ddf8baa769392e92706e6b35f7b989310d70f732f
CobaltStrike
e4ffdbfb5878a94d27139e2e7ff3b5b91944e1434935028a3c34894988b353bf
CobaltStrike
+ 1'954 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221012-sdblmageal/
Behaviour
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/076b2b53-caed-426f-8ffa-a06375747355
Unpacked files
SH256 hash:
be9ae4f35c971037fd5762105e3f5bb6657fc27e37a42663878fc954ddfaeff5
MD5 hash:
8a776cec7e08a293bd5497251bcf14a5
SHA1 hash:
06666db64391446d83b58542b8a896e30ed8fbdb
Link:
https://www.unpac.me/results/ee89069b-6a19-40b0-b91f-97fc42c17465/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be9ae4f35c971037fd5762105e3f5bb6657fc27e37a42663878fc954ddfaeff5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:bumblebee_win_generic
Create hunting rule
Author:_kphi

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319428/

Comments