MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec50240df30bcbc5ece80e6a6702b7230b81e68b712083f01a5780761693c5ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec50240df30bcbc5ece80e6a6702b7230b81e68b712083f01a5780761693c5ae
SHA3-384 hash: 72608483a48a678689176d6d55274e5d8e5b3e724619e62b7875e055c994c82a7591dbb410f74636029b91a4b6a2424c
SHA1 hash: d590852e16f64f297f3168d352a0e06f5ae5afa0
MD5 hash: d83f08283659ea11c7cd87deee56660d
humanhash: india-monkey-sierra-golf
File name:flashplay_install_zh.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:78'336 bytes
First seen:2020-11-04 12:38:05 UTC
Last seen:2020-11-04 15:26:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:hyXYdtvq183GEUI9M0lw/6Uunlv7yHAoOEcPgHURmFBgFwYcEgu:Jt1xUI9STe74yrOu
Threatray 36 similar samples on MalwareBazaar
TLSH F673E7D102E11127F273483E42027790686BEFDDD50B685EFD897AAF7A35F8097E2522
Reporter JAMESWT_WT
Tags:CobaltStrike

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82886/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34974390.32104.20815.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Replacing files
Creating a window
Creating a file
Searching for the window
Delayed writing of the file
Sending a custom TCP request
Changing a file
Modifying a system file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520107
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Installs Task Scheduler Managed Wrapper
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309151 Sample: flashplay_install_zh.exe Startdate: 04/11/2020 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 8 flashplay_install_zh.exe 14 7 2->8         started        13 Taskmgr.exe 14 5 2->13         started        process3 dnsIp4 40 w30.microsoft-shop.com 103.73.255.101, 49710, 49712, 49717 TH-AS-APTianhaiInfoTechCN United Kingdom 8->40 34 C:\Users\...\flashplayer32pp_ha_install.exe, PE32 8->34 dropped 36 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->36 dropped 38 C:\...\JQJfTSG1JWZE7KN68hrkwQ5uvxrJiTDTexe, PE32 8->38 dropped 72 Installs Task Scheduler Managed Wrapper 8->72 15 JQJfTSG1JWZE7KN68hrkwQ5uvxrJiTDTexe 14 6 8->15         started        20 flashplayer32pp_ha_install.exe 2 64 8->20         started        42 www.ugliquarie.com 13->42 74 Multi AV Scanner detection for dropped file 13->74 76 Machine Learning detection for dropped file 13->76 22 conhost.exe 13->22         started        file5 signatures6 process7 dnsIp8 50 w30.microsoft-shop.com 15->50 30 C:\Users\user\AppData\Local\...\Taskmgr.exe, PE32 15->30 dropped 32 C:\Users\user\...\FlashUpdateChecker.exe, PE32 15->32 dropped 52 Multi AV Scanner detection for dropped file 15->52 54 Detected unpacking (creates a PE file in dynamic memory) 15->54 56 Machine Learning detection for dropped file 15->56 24 FlashUpdateChecker.exe 14 11 15->24         started        58 Detected unpacking (changes PE section rights) 20->58 file9 signatures10 process11 dnsIp12 44 w30.microsoft-shop.com 24->44 46 www.ugliquarie.com 43.251.227.203, 443, 49722, 49723 CNSERVERSUS Hong Kong 24->46 48 192.168.2.1 unknown unknown 24->48 68 Multi AV Scanner detection for dropped file 24->68 70 Machine Learning detection for dropped file 24->70 28 conhost.exe 24->28         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec50240df30bcbc5ece80e6a6702b7230b81e68b712083f01a5780761693c5ae/
Threat name:
ByteCode-MSIL.Trojan.Shelma
Create hunting rule
Status:
Malicious
First seen:
2020-10-28 18:54:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 48 (56.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ricidptbpf4l3hibzvgoavxemfydzuloeqih4a2k6ahmfutywxa._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
00c59c0d8af0256ef1e4dabc474a53b85bebb24e791e19cc8a577559a38d4bd1
CobaltStrike
0eb41e962d7be24fe14670c0bda3283dd6db00bbe813d1d93da23c125af8e4dc
CobaltStrike
24676397320c85928b2fc53501109d63f3fb34a6aba00446c7ed5fbd272fda8b
CobaltStrike
260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b
CobaltStrike
3d30f3e545110a115ed70bb765354c8b3a7cffa96440f0ea45ee819c71ccb8e9
CobaltStrike
3e6c11f27c1309c63abe0a1563c6141ce7b8d8110419c572be46dcb3578db443
CobaltStrike
9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5
CobaltStrike
a8241398b22ba3745b460a7a0c39cb9a86ca258b9283901d42e8dab283acb39b
CobaltStrike
bf9b98c2b8e313967028e6ba8760d9a23f6b93036b5f85631494e870a90af779
CobaltStrike
e571cd3a4c0744cb3c5443b868577adced331a7545fcb6e2ed0efbe7506a2f9b
CobaltStrike
+ 26 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/201104-hbryss9nzj/
Behaviour
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Executes dropped EXE
Cobaltstrike
Malware Config
C2 Extraction:
http://www.ugliquarie.com:443/owa/
Unpacked files
SH256 hash:
ec50240df30bcbc5ece80e6a6702b7230b81e68b712083f01a5780761693c5ae
MD5 hash:
d83f08283659ea11c7cd87deee56660d
SHA1 hash:
d590852e16f64f297f3168d352a0e06f5ae5afa0
Link:
https://www.unpac.me/results/e91b65d3-c6a2-4fe2-961f-8b93487e7c1d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe ec50240df30bcbc5ece80e6a6702b7230b81e68b712083f01a5780761693c5ae

(this sample)

  
X
https://twitter.com/malwrhunterteam/status/1323947874602897408?s=20
Cape
Cape
https://www.capesandbox.com/analysis/82886/
  
URLhaus
https://urlhaus.abuse.ch/url/786248/
  
Delivery method
Distributed via web download

Comments