MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e424a0ff956433e468ec8c1220f6b2b760e8624187c011e4dabf227a285af670. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e424a0ff956433e468ec8c1220f6b2b760e8624187c011e4dabf227a285af670
SHA3-384 hash: 05eb853656cd80f30d30187083fe77ad9e4ba5a7e79818ac4855f1e5a427a8e5d49d07665beb8ca42501415009c277e8
SHA1 hash: 13ba5432ed11eea8615454a381614566889796af
MD5 hash: df3d85e0ef6376d02c41ea4f282c9c5d
humanhash: river-sixteen-bluebird-sixteen
File name:e424a0ff956433e468ec8c1220f6b2b760e8624187c011e4dabf227a285af670
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:13'312 bytes
First seen:2022-01-06 03:26:02 UTC
Last seen:2022-01-06 05:08:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad50eff6f6f8cbc0599257850c71f760 (1 x CobaltStrike)
ssdeep 384:w/u7FLwltjMUkG1uR/Q3kLSh6Zvo7TN3:DxEXAu1uJikLS6toXN
Threatray 1'561 similar samples on MalwareBazaar
TLSH T1B652C0863F9DD3FAC43111B96B93890C87DAC6E3075AEF279B5500DB2F20AE48E01D18
Reporter JAMESWT_WT
Tags:cgbchnia CobaltStrike exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
603
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e424a0ff956433e468ec8c1220f6b2b760e8624187c011e4dabf227a285af670
Verdict:
No threats detected
Analysis date:
2022-01-06 03:31:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b2fda57-4bd9-44b8-a7db-66e6b53c06c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217495/
Detection(s):
SecuriteInfo.com.Trojan.Win64.Shelma.4c.3012.32460.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Unauthorized injection to a recently created process
Launching a process
DNS request
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d66156135d97804c0e6f1b/reports/c6663b02-05a0-41bd-a5cb-0dfc696f8fb1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/496cd332-6b56-4c2f-a13a-eb10fc28a19b
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916123
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e424a0ff956433e468ec8c1220f6b2b760e8624187c011e4dabf227a285af670/
Threat name:
Win64.Backdoor.CobaltStrikeBeacon
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 03:24:48 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
032f8678c49d5320602b75ce8da611d6bc4268354e905aed217451d7f739da67
CobaltStrike
31bffcb4afdba092230c1e621a8259aff530d812ababfe2d34af5fbfea827efd
CobaltStrike
49f80e9afca6ccd55838cd0e16639d51ed5db3d751f36ba7d79ea0678b50da6a
CobaltStrike
4e9cee63c296120b3640a6201b4cb4295be8cfec39a4828eb4c4fc34d69cc69c
CobaltStrike
56f3f593d4bf728840e00df5ba1a1fe1ffddf142a3e42dac6023c866d3670624
CobaltStrike
984265f2a1df743a585b3ed1aa138080dbc0e27c66d2472d10a66c916739556c
CobaltStrike
a8241398b22ba3745b460a7a0c39cb9a86ca258b9283901d42e8dab283acb39b
CobaltStrike
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
CobaltStrike
f74f5eb8416d9522e703877e104ac7923cc3efeedaa1138b6221726b0d359096
CobaltStrike
+ 1'551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/220106-dy7r8sahg9/
Unpacked files
SH256 hash:
e424a0ff956433e468ec8c1220f6b2b760e8624187c011e4dabf227a285af670
MD5 hash:
df3d85e0ef6376d02c41ea4f282c9c5d
SHA1 hash:
13ba5432ed11eea8615454a381614566889796af
Link:
https://www.unpac.me/results/396910b3-9b06-4a1a-92a4-74fe9d7b4579/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e424a0ff956433e468ec8c1220f6b2b760e8624187c011e4dabf227a285af670

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217495/

Comments