MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CobaltStrike

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407
SHA3-384 hash:	c27cbd434d795876a805e469f1c97d89a196c2482db8a7a59fd996b4d672f9ae571dae3168338a730c19ec1183189737
SHA1 hash:	cf774ceefce201acb4c1642d1ceb31dd121e254c
MD5 hash:	5f1d0aa6867afd427cdce43e847dd098
humanhash:	delaware-maine-stream-mars
File name:	e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407
Download:	download sample
Signature	CobaltStrike Create hunting rule
File size:	185'824 bytes
First seen:	2021-07-20 06:04:29 UTC
Last seen:	2021-07-20 06:44:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5113cba6ae071e97cfe94fe34d571ccb (2 x CobaltStrike)
ssdeep	3072:LXwHR0ZNXRAHjygFEeaBTDk1WWdLi4YKMJKzveLWjb2rz17XL3MW5tCsnp3lc:GR02hFEeKDk1/qzLWjbQ7XBns
Threatray	1'087 similar samples on MalwareBazaar
TLSH	T19304AD14B2A510AFEE7685B18A935612B57238210334DFEF03A48335EF1EBE15D7AB35
Reporter	JAMESWT_WT
Tags:	CobaltStrike exe signed Tellingent Limited

Code Signing Certificate

Organisation:	Tellingent Limited
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-07-05T00:00:00Z
Valid to:	2022-07-13T23:59:59Z
Serial number:	046ef51984e5b68e84589394684f1584
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	bb57515b0a645bba824cfedb1a8c582993c3f943cf88dc75ff095788e21e210f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

495

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

filedata.dll

Verdict:

Malicious activity

Analysis date:

2021-07-19 13:44:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cf4ae9d4-0dbf-4c4a-b7bb-540bd651737b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/172693/

Detection(s):

SecuriteInfo.com.Trojan.Win64.Shelma.4c.6077.32485.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Unlabeled

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/cb8d39be-b1b3-44ca-a3ba-7c995c6b2d91

Result

Threat name:

CobaltStrike

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/818662

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: CobaltStrike Load by Rundll32

System process connects to network (likely due to code injection or exploit)

Yara detected CobaltStrike

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407/

Threat name:

Win64.Trojan.Shelma

Status:

Malicious

First seen:

2021-07-19 16:05:52 UTC

File Type:

PE+ (Dll)

Extracted files:

2

AV detection:

5 of 46 (10.87%)

Threat level:

5/5

Verdict:

malicious

Label(s):

cobaltstrike

Similar samples:

2bfe11c06ffe157399432080f6de6190e1062c99b4a55ec31974b5a37ee8dd3c

2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9

673d8268fd21825ca5f21d8b395cdcede7009b60e540cb36c46f5794626faefb

6880a560c6cc3dd49bdc94a90dcc8dc69e55a6d842e76bb0dff0038bad6a762f

9ca6449c0586a77c55586bcc7adfaef2c3cc53da4713c5ed57fced15a3054545

a93eb70cc4152e32cd3a39fda968b2da5ade48453927410a0d520f2d13223d11

cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c

cf0a85f491146002a26b01c8aff864a39a18a70c7b5c579e96deda212bfeec58

f25295fc7d3435f80f39e602465da255ee0ace3d845315dac8731873adff894d

+ 1'077 additional samples on MalwareBazaar

Result

Malware family:

cobaltstrike

Score:

10/10

Tags:

family:cobaltstrike botnet:0 backdoor trojan

Link:

https://tria.ge/reports/210720-lb3njc2a9s/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Blocklisted process makes network request

Cobaltstrike

Malware Config

C2 Extraction:

http://standartrocks.com:443/jquery-3.3.1.min.js

Unpacked files

SH256 hash:

e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407

MD5 hash:

5f1d0aa6867afd427cdce43e847dd098

SHA1 hash:

cf774ceefce201acb4c1642d1ceb31dd121e254c

Link:

https://www.unpac.me/results/52eca87d-558b-4bdc-8250-342d15a4c553/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e8d4bf2dc68074adf01dc003d51de3842994ae07fa88c370e8d29f1c27d9c407

File information

The table below shows additional information about this malware sample such as delivery method and external references.

X

https://twitter.com/malwrhunterteam/status/1417181186686914561?s=20

Cape

Cape

https://www.capesandbox.com/analysis/172693/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample