MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58
SHA3-384 hash: 9f8f62846fe698a4971c62817bc8b16f7781fbef8c6b73c446d92364975668c34dc95174918ae927937563ca32c8cb79
SHA1 hash: ddf0214fbf92240bc60480a37c9c803e3ad06321
MD5 hash: 55646b7df1d306b0414d4c8b3043c283
humanhash: georgia-mockingbird-sink-spring
File name:iduD2A1.tmp
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:181'248 bytes
First seen:2021-06-29 02:21:26 UTC
Last seen:2021-06-29 03:22:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48bed5054036161b7d3e7fbf6f1c4391 (1 x CobaltStrike)
ssdeep 3072:fck3rwbtOsN4X1JmKSol6LZVZgBPruYgr3Ig/XZO9:fck3rwblqPgokNgBPr9gA
Threatray 944 similar samples on MalwareBazaar
TLSH 10049E14B2A914FBEE6A82B984935611B07174624338DFEF03A4C375DE0E7E15A3EF25
Reporter malware_traffic
Tags:CobaltStrike dll exe


Avatar
malware_traffic
Run method: rundll32.exe [filename],StartW

Intelligence

File Origin
# of uploads :
2
# of downloads :
508
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
iduD2A1.tmp
Verdict:
No threats detected
Analysis date:
2021-06-28 22:24:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9460f03f-221d-4289-b49f-d9a969f0f038

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168654/
Detection(s):
SecuriteInfo.com.UDS.Trojan.Win64.Shelma.8581.23244.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9877c93c-15a1-4193-bc05-7aedeef66af7
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/809082
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: CobaltStrike Load by Rundll32
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441489 Sample: iduD2A1.tmp Startdate: 29/06/2021 Architecture: WINDOWS Score: 84 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Yara detected CobaltStrike 2->30 32 2 other signatures 2->32 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 6 7->9         started        13 rundll32.exe 7->13         started        15 cmd.exe 1 7->15         started        17 21 other processes 7->17 dnsIp5 24 zizodream.com 107.181.161.197, 443, 49707, 49708 TOTAL-SERVER-SOLUTIONSUS United States 9->24 34 System process connects to network (likely due to code injection or exploit) 9->34 19 rundll32.exe 6 15->19         started        signatures6 process7 dnsIp8 22 zizodream.com 19->22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58/
Threat name:
Win64.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 22:38:04 UTC
AV detection:
1 of 46 (2.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
03729ae2db20f485c0b83fbf36d2a22d629137deb2032bf972132db9f2805882
CobaltStrike
673d8268fd21825ca5f21d8b395cdcede7009b60e540cb36c46f5794626faefb
CobaltStrike
8fabea95cbfe1da521dfcd7880ec3301a3a32175741680d8c1a8acacc0199eb7
CobaltStrike
9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545
CobaltStrike
a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11
CobaltStrike
bcbd4211108cf3c477de91d78383150e1d30f98d41c372770503eb259a762824
CobaltStrike
cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c
CobaltStrike
d4a027269ca7a78f578e980333ac22f8ab39d5f4ef71490b49af6cb884195321
CobaltStrike
dbafbe9edfdac67a781756a6970a7341fd5401b0914fff7e3e8136cff0426fc5
CobaltStrike
f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d
CobaltStrike
+ 934 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 backdoor trojan
Link:
https://tria.ge/reports/210629-w4d627qj3e/
Behaviour
Modifies system certificate store
Blocklisted process makes network request
Cobaltstrike
Malware Config
C2 Extraction:
http://zizodream.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58
MD5 hash:
55646b7df1d306b0414d4c8b3043c283
SHA1 hash:
ddf0214fbf92240bc60480a37c9c803e3ad06321
Link:
https://www.unpac.me/results/de793a9f-7735-49be-b15e-2c83dee3f909/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168654/

Comments