MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507
SHA3-384 hash: ec63f6528f7ba5a42db74a586f97bc11998059f288ce8085b94c050db8dfdb76c6285aadb5391e051a54b8f094842f6b
SHA1 hash: 2c4aaefe0c20843db9b9f4996d42c7563b081097
MD5 hash: b873bfa8dec8c3a1f62c30903e59e849
humanhash: robin-michigan-social-magazine
File name:oben32.dll
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:362'496 bytes
First seen:2021-12-14 14:01:31 UTC
Last seen:2021-12-14 17:05:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd51a645a9c68bd03b2e51586e5cbdcb (4 x RemcosRAT, 1 x Exorcist, 1 x Formbook)
ssdeep 6144:4GG9uLzUVA9S35rB9msFdC/6Oy6MpNahmawTxLUfq3e7BuXIYtEiwW4VpJQ9gHRa:lzQe5T
Threatray 466 similar samples on MalwareBazaar
TLSH T147742D09CF5DC2CBEED640B4DCAAB9CBD138DB924C9045F3BEA98D967C228395507E44
Reporter malware_traffic
Tags:64-bit Cobalt Strike CobaltStrike dll exe


Avatar
malware_traffic
64-bit DLL for Cobalt Strike. Can be run using regsvr32.exe [filename]

Intelligence

File Origin
# of uploads :
2
# of downloads :
596
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
oben32.dll
Verdict:
No threats detected
Analysis date:
2021-12-14 14:02:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0ebbe57-a140-4d96-8092-52e020a04776

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/213945/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.30759.31965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1946/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61b8a3df8a1c0aab6a87cbdf/reports/8b2f8d07-c00a-4579-a6f6-a150633b3f0c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf0a28bc-4479-4262-ab9a-75beaf0a1d3d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/907089
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 539567 Sample: oben32.dll Startdate: 14/12/2021 Architecture: WINDOWS Score: 60 39 Multi AV Scanner detection for submitted file 2->39 41 Sigma detected: Suspicious Call by Ordinal 2->41 8 loaddll64.exe 1 2->8         started        process3 dnsIp4 33 api.musicbee.getlist.destinycraftpe.com 8->33 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        17 regsvr32.exe 8->17         started        19 WerFault.exe 17 9 8->19         started        process5 dnsIp6 21 rundll32.exe 11->21         started        45 System process connects to network (likely due to code injection or exploit) 13->45 25 WerFault.exe 20 9 13->25         started        35 api.musicbee.getlist.destinycraftpe.com 104.41.145.218, 443, 49749, 49750 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->35 27 WerFault.exe 17 9 17->27         started        37 192.168.2.1 unknown unknown 19->37 signatures7 process8 dnsIp9 31 api.musicbee.getlist.destinycraftpe.com 21->31 43 System process connects to network (likely due to code injection or exploit) 21->43 29 WerFault.exe 9 21->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 14:02:12 UTC
File Type:
PE+ (Dll)
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
02afc67fc961203f4809101aeb60ef5553b6b2b3f142e39f80ba3f9e64f52704
CobaltStrike
0982c38ddad347ce0ff426106db78f3e51b723d7d90308a970ef43ef84fc8d75
CobaltStrike
132bdcb986e3e3b9599b5b293b3318e7c630495e87a9d1fa02287ae80f9e652f
CobaltStrike
1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
CobaltStrike
5ab95684cb8a8355b3f2f334fce6f2a96333ce5b51ffb2e1030d8a36c85c43f0
CobaltStrike
614461c405a183da7410ece59cdce4448513ba06044681a7e5161d08ef837903
CobaltStrike
6cf0a44011ec1e1a891d7d06357c4687634e42d65a3eecfe9180e608b5d6e150
CobaltStrike
8e4c165eb5f1072f84dfd76fd4966e455eaeb0df3a14d20559253d2ebabf7114
CobaltStrike
8f69a3a077e12b5e4ab5a446606f0fc226b827dcafb4f8e1768253b252dca895
CobaltStrike
b3791ea2bce069a6a17d518c6b62e08273a0f7bcdc023536a71af7210722cccc
CobaltStrike
+ 456 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike backdoor trojan
Link:
https://tria.ge/reports/211214-rb5agsgggr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Cobaltstrike
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://api.musicbee.getlist.destinycraftpe.com:443/azure/v2/api
Unpacked files
SH256 hash:
fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507
MD5 hash:
b873bfa8dec8c3a1f62c30903e59e849
SHA1 hash:
2c4aaefe0c20843db9b9f4996d42c7563b081097
Link:
https://www.unpac.me/results/3652ec1e-78f5-4f54-9a42-5734ff99c864/
Malware family:
Cobalt Strike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fba9dd0ebb8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1883490/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/213945/

Comments