MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d08430ad21c7a08c68416ad117358c281e8d66c1eed9c8a5a044af66488369c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d08430ad21c7a08c68416ad117358c281e8d66c1eed9c8a5a044af66488369c0
SHA3-384 hash: 2bde399ba8236116d1bb7848a7dcedd32c760f6e10869269c9c2711a97a5ca8c5f8d9bf7b1bee6093939b0aa71d6cfec
SHA1 hash: 5d3af21b48a0ee8a12f9b8bc2060a5f8495696e5
MD5 hash: 5e4334f9e8452990f42a2aa1504a1063
humanhash: alaska-berlin-jupiter-freddie
File name:tbpaeheacddx.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:2'928'128 bytes
First seen:2022-03-28 17:34:05 UTC
Last seen:2022-03-30 04:51:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d6687061bd2ab02d113add0ae40a140 (1 x CobaltStrike)
ssdeep 24576:HhRA6qxLx9thcjTcK8XhQMEOihXXna3BDUH7u9MLgmrGBVzNdvrcVh79r1KPB3DA:HhGHtM8XqqB45rL8pfxZe1+JPa
Threatray 234 similar samples on MalwareBazaar
TLSH T1C4D52A17FAB250E1D4BAC2399293233BBE7175A8433097C39651961B4F22BF4B53D788
Reporter malware_traffic
Tags:Beacon Cobalt Strike CobaltStrike exe


Avatar
malware_traffic
Cobalt Strike DLL dropped by Emotet infection on Monday 2022-03-28.
Run method: regsvr32.exe [filename]

Intelligence

File Origin
# of uploads :
4
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tbpaeheacddx.dll
Verdict:
Malicious activity
Analysis date:
2022-03-28 17:35:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a2ed3aeb-5c96-40c4-bbe6-3770f7b5d97d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258697/
Detection(s):
SecuriteInfo.com.Malware.AI.2781275089.22069.11244.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6241f1c99253b276b792231f/reports/39ab42e5-fe52-47f4-bd74-4e8b4a84b50e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5af42e1-0a80-49ed-92fe-b30cf8c2f07d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/966067
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 598575 Sample: tbpaeheacddx.dll Startdate: 28/03/2022 Architecture: WINDOWS Score: 72 27 Multi AV Scanner detection for domain / URL 2->27 29 Antivirus detection for URL or domain 2->29 31 Sigma detected: Suspicious Call by Ordinal 2->31 33 Sigma detected: Regsvr32 Network Activity 2->33 7 loaddll64.exe 1 2->7         started        process3 dnsIp4 23 verofes.com 7->23 10 rundll32.exe 7->10         started        14 cmd.exe 1 7->14         started        16 regsvr32.exe 7->16         started        18 rundll32.exe 7->18         started        process5 dnsIp6 37 System process connects to network (likely due to code injection or exploit) 10->37 20 rundll32.exe 14->20         started        25 verofes.com 139.60.161.45, 443, 49778, 49779 HOSTKEY-USAUS United States 16->25 signatures7 process8 signatures9 35 System process connects to network (likely due to code injection or exploit) 20->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d08430ad21c7a08c68416ad117358c281e8d66c1eed9c8a5a044af66488369c0/
Threat name:
Win64.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 17:35:14 UTC
File Type:
PE+ (Dll)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ccdbljby6qiy2cbnlironmmfapi2zwb53m4rjnaisxwmsednhaa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
09d8fb54a22c3bb753fce7dc5192221122cf5dc26b42504ffca254e2521dbf8e
CobaltStrike
14d35d94f1423f8611dd77fb5da29a006a7a59cc9ccd549c46cba36c017b1d2f
CobaltStrike
15ad6630505f5276285e80205b40ebd4a3e975d97b93c390f39c67aad799b6de
CobaltStrike
2825b1fcb91614a08b7c2338e54ee1506915c159bd6a363de7b77c23dd6ea7e0
CobaltStrike
3e1d36766dfab3b000777a6c8a7742e3f454eb9270e835181cfb3ee04e8a1e62
CobaltStrike
97fbb35c5073af391068712aa31992c2d6d174c8c297baef188d687fe6f4fd62
CobaltStrike
cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58
CobaltStrike
e7e2bc2c52d0b57ed7a2d11fa822ef5520559876b7c55f3f38cf8ef62d6ee544
CobaltStrike
+ 224 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/220328-v5ztmsghgm/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Cobaltstrike
Unpacked files
SH256 hash:
d08430ad21c7a08c68416ad117358c281e8d66c1eed9c8a5a044af66488369c0
MD5 hash:
5e4334f9e8452990f42a2aa1504a1063
SHA1 hash:
5d3af21b48a0ee8a12f9b8bc2060a5f8495696e5
Link:
https://www.unpac.me/results/817d2104-c9b5-43be-a7e8-2b96214c49cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d08430ad21c7a08c68416ad117358c281e8d66c1eed9c8a5a044af66488369c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
Emotet
Cape
Cape
https://www.capesandbox.com/analysis/258697/

Comments