MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c
SHA3-384 hash: bb300609c0f8614943fb3e125a3afd7f5e2384ad25910243fcbcd1fb276d7c5ebc2d37dc768a743f6cb07a78562dbed2
SHA1 hash: 0404533a0d46520754a2044b63c946dc36ff6e15
MD5 hash: b76385aed5a029fdcdbd634543a8e252
humanhash: seven-hydrogen-oranges-london
File name:art32.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:94'720 bytes
First seen:2022-09-08 14:54:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fdfa730eb437c797087eed64dcf2dc98 (1 x CobaltStrike)
ssdeep 768:4sWIZPApiXmFdyzCWiwOM+jn9/s+kanzOgLo2CkEwC1/hBzjn4P6/saPjDlrAzDG:3WSUK/zChpexQxC1HZ/Zl0zD
Threatray 2'441 similar samples on MalwareBazaar
TLSH T1BA93943EF6B7608DE5D0C73D9EB797E1AED578C10AE14E0E511180858B689C8DE6FE02
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.5% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon cccc0df033030f4c (2 x CobaltStrike)
Reporter TheDFIRReportX
Tags:CobaltStrike exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
703
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
art32.exe
Verdict:
No threats detected
Analysis date:
2022-09-08 14:56:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c359b21-95b5-4dad-893e-f30ebb6d22f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308815/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1202039.27611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37091/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a981fcb5-fd49-4ea6-a31f-3162c1b5db0a
Result
Threat name:
Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1067237
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 699766 Sample: art32.exe Startdate: 08/09/2022 Architecture: WINDOWS Score: 80 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 2 other signatures 2->27 7 art32.exe 2->7         started        process3 signatures4 29 Found API chain indicative of debugger detection 7->29 10 WerFault.exe 20 9 7->10         started        13 cmd.exe 1 7->13         started        process5 file6 19 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->19 dropped 15 conhost.exe 13->15         started        17 reg.exe 1 1 13->17         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c/
Threat name:
Win64.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 14:54:10 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zqy6qymaszagokmpcdyaorbofac56rrij6aqnpcjso6ze2366oa._file
Verdict:
malicious
Similar samples:
14f2a593281d5c9700a878f32199aa69b18f10b2d3849d216764f96a3f8a00f9
CobaltStrike
32708c5d376f130b48bf3bd706879c1945a2d701036d94e25aceea41a4042052
CobaltStrike
4533b5392f6e49cf20ee0821b4c8b6b74b8af274995646791ec7fe48a2615425
CobaltStrike
538da46bffb52cffd821cb51ebd76072b6775773df6113ac1e98edab0ca49a2a
CobaltStrike
603b317507f3368d6d1f9a60b94e03d0afa277035fbe76d92124f1c5664b6274
CobaltStrike
6b7982a4d2ea097c2d79ac9832e21ee32bf9579bda86ba0cba1d95a59951becb
CobaltStrike
b14cde376a8a7a9d7ad34cdfd07108c132ad8be7f60c5c0a0f17b6b63eb28b49
CobaltStrike
b6f39cc063683b87b281bd27cd4b421e2d5925f8bd6f3a5b0355a3f92532111d
CobaltStrike
c8f4dff419f7f7171eef80e075a7ff6f5277408e8fa26b807e3faf6834e7c7c4
CobaltStrike
+ 2'431 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220908-r9we8scacj/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c
MD5 hash:
b76385aed5a029fdcdbd634543a8e252
SHA1 hash:
0404533a0d46520754a2044b63c946dc36ff6e15
Link:
https://www.unpac.me/results/aab4da1f-3a51-4801-9427-a237005f6603/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/308815/

Comments