Trojan.CobaltStrike.HM
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.CobaltStrike.HM |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
a0a35f5017ff1dd212c4aefe9c780c3b
SHA1:
ced67d48d8415beeb2313f6615acabe95823118c
File Size:
1.27 MB, 1269248 bytes
|
|
MD5:
33db4317e0309793f8e1024f63391335
SHA1:
8be8a88582379d57d14c7b507c3488bfebc399dc
File Size:
1.27 MB, 1271296 bytes
|
|
MD5:
84312231c2708ffc8617e6fcf063d7bd
SHA1:
08af686b2e41d2cfa6d45981d68ff8421c0b0e4d
File Size:
1.58 MB, 1575936 bytes
|
|
MD5:
be939fef684c9a388215eab7f9a3ac42
SHA1:
e8ef1b51fde7bab6f0ffb5a70f59fd34de8a54a4
File Size:
1.12 MB, 1123840 bytes
|
|
MD5:
3a09d8a483930e52b360765ab7c06a0f
SHA1:
bd4f843e3cef9dc3f43d6901fdb995923826078a
File Size:
1.28 MB, 1281024 bytes
|
Show More
|
MD5:
d2b1e1c3b3acd1695041f9fb9ee8059c
SHA1:
3fa8d091fb1444200a0bc9aba067f087a971aa30
File Size:
1.40 MB, 1403392 bytes
|
|
MD5:
76f3f8f4f55b4b3a61530be3d746aca2
SHA1:
cc818813dc3a3faba918f34ad2b87edfbff22767
File Size:
1.40 MB, 1395200 bytes
|
|
MD5:
98ded928ec78a9e6ca5039aeeb9a63c3
SHA1:
6d4e4d691788e2389cf0c67e1d209a5463d2b084
File Size:
1.43 MB, 1432064 bytes
|
|
MD5:
659189d273844c010664156769af9d83
SHA1:
f4c953ce707a778b22fa37ed9fbed0d3f81ad513
File Size:
1.32 MB, 1323008 bytes
|
|
MD5:
77438729704a8a8d0138e56b799867de
SHA1:
d537ef004728776d4347f721a87d631b354c07cd
File Size:
2.06 MB, 2059264 bytes
|
|
MD5:
99b8dd62bda73ca629d024d4a63be2a9
SHA1:
739c745feacb5416543b4106239e24435224fbff
File Size:
1.42 MB, 1421824 bytes
|
|
MD5:
ae84caaa3270f0de6e52b20b2d08097f
SHA1:
c7c711bcefe09d2484dd66e4946a48c6978d186f
File Size:
2.04 MB, 2040832 bytes
|
|
MD5:
e0bf8b0e331090ef54fcd42fdfc153f7
SHA1:
3365f8790603dd2ee386ab4566ef80e6cf634065
File Size:
1.12 MB, 1121792 bytes
|
|
MD5:
f98bb6d1e4760d3feaf3d1a3ffa91818
SHA1:
24d4c3989aed95af0a0bdd371d5357be85e576e2
SHA256:
5C93AE7394DF987905C32DED33EBB9096AE9051B61D886C7C9ACCFA822B29BA7
File Size:
1.37 MB, 1373696 bytes
|
|
MD5:
191cbfd6af39b7edb4f877798d109067
SHA1:
949fe881c46eb0f322742882bc782dacbeae5d46
SHA256:
D19F9627CBDB2A002101133C020948237A2837B8FFD5136B8399E61B9735BBA1
File Size:
1.90 MB, 1895936 bytes
|
|
MD5:
7c120de14bd80b54675860213b4d5456
SHA1:
de1c22db4024535d411b823e528bd349f75ef5d8
SHA256:
C84A9C9705196060C03B2BF69ED9F4162861567CE905749A818AFBDC36F8FF09
File Size:
994.82 KB, 994816 bytes
|
|
MD5:
7f9422d84461ed7bdec09eea5ac42cb0
SHA1:
fdd7f2f372758116bb82304c45ac53cd3f559cf4
SHA256:
ABF4654E72EB7B1E8C6FF1B32C4BA94B5A68C1024ECB8E66F731295B50EDBE72
File Size:
1.18 MB, 1180672 bytes
|
|
MD5:
771d87eec82aeeef3b2466f7652d0b1a
SHA1:
4075aa1cd4aa999425071910530360821980b49f
SHA256:
A22B65D14B98501D11D6C32F19A3D1FEF5A08506435D7315F912F1D27570D038
File Size:
968.19 KB, 968192 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have resources
- File doesn't have security information
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | Microsoft Corporation |
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright | © Microsoft Corporation. All rights reserved. |
| Original Filename |
|
| Product Name | Microsoft® Windows® Operating System |
| Product Version |
|
File Traits
- HighEntropy
- No Version Info
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 4,139 |
|---|---|
| Potentially Malicious Blocks: | 1,779 |
| Whitelisted Blocks: | 1,936 |
| Unknown Blocks: | 424 |
Visual Map
?
x
x
0
x
?
x
?
x
x
x
x
0
x
0
0
0
?
x
0
x
x
0
?
x
x
0
x
0
x
?
x
x
x
x
x
x
x
x
0
0
?
x
0
x
x
x
x
?
?
x
0
0
x
x
?
?
?
?
x
?
0
0
x
x
x
x
x
x
?
0
0
x
x
?
?
x
0
0
x
0
x
x
x
x
0
x
0
?
x
0
x
x
0
x
?
x
x
0
?
x
x
?
?
0
x
0
?
x
x
0
0
x
0
0
x
x
x
0
x
x
x
x
0
0
x
x
x
0
x
x
x
?
0
x
x
x
0
x
x
0
x
x
x
0
0
x
x
x
0
x
x
x
?
0
0
x
x
?
x
x
?
x
x
0
0
?
0
x
x
?
?
x
x
x
0
x
?
x
x
x
0
x
0
?
x
x
x
x
0
0
x
x
x
0
0
x
x
0
x
x
x
x
x
x
x
0
?
x
?
x
x
?
x
0
x
x
x
?
0
x
?
x
0
0
x
x
0
x
x
0
x
x
x
0
0
0
0
?
x
x
?
x
?
x
0
?
x
0
0
x
x
?
x
0
?
x
x
x
x
x
x
x
0
x
x
?
?
x
x
?
0
x
0
x
0
x
0
x
x
x
x
?
0
x
x
x
x
0
0
x
x
x
x
x
?
x
x
0
0
0
x
0
0
0
x
x
0
x
x
x
x
x
x
x
0
x
x
0
x
x
x
0
?
?
x
0
0
x
0
0
x
0
0
x
x
x
x
x
x
0
0
0
x
x
x
x
x
x
0
?
x
x
x
x
0
x
0
x
0
x
x
0
0
0
x
0
x
x
x
?
?
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
0
0
x
0
0
x
0
x
x
x
?
x
0
x
x
x
x
x
?
x
x
x
x
?
x
x
x
0
x
x
0
x
x
0
?
?
0
x
x
0
?
0
0
x
0
0
0
x
x
0
0
x
0
?
0
0
x
0
?
0
0
x
x
?
x
x
?
0
x
x
?
?
0
?
?
?
x
?
0
?
0
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
0
?
x
0
0
x
x
0
x
x
x
0
x
x
0
0
x
x
x
x
x
x
x
0
x
?
x
x
x
x
x
x
0
x
x
x
x
0
0
x
0
0
?
0
x
?
0
0
0
x
x
?
x
x
x
0
x
x
0
x
x
0
0
x
0
x
0
x
0
x
x
0
x
x
x
0
x
?
0
x
0
x
?
x
0
x
x
x
0
x
0
x
0
0
?
0
x
?
x
x
x
0
x
0
0
0
x
0
0
0
x
x
0
0
0
x
x
?
x
x
0
?
0
x
x
x
x
0
0
0
?
0
x
0
x
0
x
x
x
0
x
x
x
0
x
0
x
x
0
x
0
x
0
x
0
0
?
x
x
0
x
x
x
0
x
0
x
x
0
x
x
x
0
x
0
x
x
x
0
0
x
x
x
0
x
0
?
0
x
x
x
x
x
0
x
x
x
0
0
0
?
x
x
?
x
0
x
0
0
x
x
0
?
x
?
x
?
0
x
?
x
0
0
?
0
0
x
0
x
x
x
0
x
0
0
x
x
0
x
x
0
0
x
x
0
x
x
x
0
0
0
x
x
x
0
0
x
0
x
?
0
0
x
?
x
0
x
0
0
x
?
x
0
0
0
x
0
0
x
0
x
x
0
x
0
0
x
0
x
x
x
x
x
x
x
x
x
0
x
0
x
1
x
x
x
0
x
x
0
x
x
x
x
0
?
x
0
x
x
0
0
x
0
x
0
x
x
x
0
0
x
x
0
x
0
x
0
x
x
x
x
x
0
0
x
0
0
0
x
x
0
x
x
x
0
x
x
0
0
x
?
x
0
x
0
0
x
0
?
x
x
?
0
x
0
0
0
0
0
0
?
0
x
x
?
x
0
x
x
x
x
0
x
0
0
x
x
?
x
x
x
0
x
0
0
0
x
x
x
0
x
x
x
x
x
0
x
?
x
x
x
x
0
x
x
x
x
x
x
0
0
x
x
0
0
x
x
x
x
0
x
x
?
0
x
x
0
x
x
?
0
x
0
0
x
x
x
0
?
x
0
x
?
x
x
x
x
0
?
0
x
?
?
0
x
x
x
x
x
x
0
x
?
x
x
x
x
x
0
0
x
x
x
0
0
x
x
x
0
x
x
x
x
x
0
0
0
x
x
x
x
0
0
0
?
x
x
x
x
x
x
x
0
x
x
?
0
x
?
x
x
x
x
x
x
0
x
x
x
0
?
?
x
0
x
0
0
0
0
x
0
0
x
x
0
0
x
?
x
x
x
?
?
x
x
x
x
x
x
0
x
0
x
x
x
x
x
0
x
x
?
x
x
x
0
0
x
x
0
x
0
x
0
0
0
x
x
0
x
x
x
x
0
0
x
x
x
0
x
x
x
x
0
x
x
0
x
x
?
0
?
0
x
0
x
?
x
x
0
0
x
x
x
x
x
?
0
0
x
x
?
0
x
0
x
0
0
x
0
x
0
x
x
0
x
x
x
?
?
0
x
0
0
?
?
0
?
x
x
?
?
?
x
?
0
x
x
x
?
?
x
0
?
?
x
0
x
x
?
x
?
0
0
x
x
x
x
x
0
?
0
0
x
x
?
?
0
0
x
x
x
0
?
x
x
?
0
x
0
?
0
x
0
0
x
0
x
x
x
x
0
0
x
x
x
x
?
x
x
?
x
?
x
0
?
x
x
x
x
?
x
0
x
0
0
x
0
?
0
?
0
0
0
0
?
0
x
x
0
x
0
x
x
x
0
?
x
x
0
0
0
?
0
x
0
x
0
x
0
x
?
?
0
x
?
0
x
0
0
0
x
x
x
0
x
0
0
x
x
?
x
0
x
0
x
?
x
0
x
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
0
x
x
x
0
0
x
x
0
x
x
0
0
x
x
x
?
?
0
x
?
x
?
x
x
x
x
0
0
x
x
x
0
0
x
0
x
0
x
?
x
0
?
x
x
x
x
x
x
x
0
?
x
0
x
?
0
0
x
x
x
x
x
x
0
0
x
x
x
0
x
0
?
0
x
0
x
?
?
0
?
x
?
?
0
?
x
?
x
0
0
x
0
x
0
0
0
x
x
x
x
x
?
0
x
x
0
x
x
x
x
x
x
0
0
x
?
0
x
0
0
x
x
0
?
x
?
?
?
x
x
0
x
0
x
0
0
?
0
x
x
0
x
0
0
0
x
x
x
x
?
x
0
x
x
x
x
x
?
0
0
x
0
x
x
0
x
x
x
0
x
x
x
x
x
x
0
?
x
0
x
0
?
0
0
x
x
0
?
?
0
0
x
0
0
x
x
x
0
x
0
x
x
x
x
0
x
0
x
0
x
0
x
x
x
0
0
0
x
x
0
x
x
0
x
0
x
0
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
0
x
x
0
0
0
x
x
0
0
?
x
0
0
x
x
0
0
x
0
?
x
?
x
0
x
x
x
?
x
x
0
?
0
x
x
?
?
x
x
?
x
0
?
x
x
?
0
x
x
?
0
x
x
x
?
0
x
?
x
?
0
x
?
0
x
x
x
?
0
x
?
0
0
x
?
x
?
?
x
x
?
0
0
0
?
x
x
x
0
x
x
?
0
x
x
?
0
?
?
x
x
x
x
x
x
0
x
x
0
x
x
x
x
0
x
x
0
0
x
0
?
x
x
0
0
0
x
x
x
x
x
x
x
0
?
x
x
x
?
x
0
x
0
x
x
0
x
?
?
0
x
0
x
?
x
0
x
x
?
?
0
x
0
x
?
0
?
?
0
x
0
x
?
?
x
?
?
x
?
0
?
0
?
?
x
x
?
x
?
0
x
x
0
0
0
x
x
x
x
x
x
0
?
0
x
0
0
x
0
0
0
x
x
?
x
?
x
0
0
0
x
?
x
?
?
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
0
?
?
x
0
x
0
x
x
x
x
x
0
0
x
x
?
x
x
0
x
x
x
0
x
x
x
x
x
0
x
x
x
0
0
x
x
x
x
x
x
x
0
x
0
0
x
0
0
x
x
x
0
0
0
0
x
0
x
x
x
x
x
0
x
?
0
?
0
0
?
?
x
0
x
x
x
x
?
0
0
0
0
x
x
x
0
x
x
?
x
x
x
0
x
x
0
x
0
0
x
?
x
0
x
?
0
0
0
x
x
x
0
x
x
x
x
0
0
0
0
0
0
?
x
0
x
x
x
x
x
?
x
0
x
0
0
?
x
0
x
x
x
x
?
x
x
x
?
?
x
x
?
?
x
0
x
?
0
x
0
?
x
x
x
x
0
x
x
?
x
?
x
?
x
x
?
x
?
0
x
x
x
0
0
0
?
x
x
x
x
?
x
x
x
x
x
x
x
x
x
0
x
0
x
0
x
x
x
x
x
0
x
x
x
x
x
x
0
x
x
x
x
0
0
0
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
0
0
?
x
x
0
x
0
?
0
x
x
0
0
x
0
x
x
x
0
x
x
x
x
x
x
0
x
x
x
0
0
x
x
0
0
?
x
0
x
0
x
x
x
0
0
0
x
x
x
x
x
0
0
?
0
?
x
x
x
0
1
x
x
x
x
0
x
?
0
0
x
x
x
x
x
0
x
0
x
x
x
0
x
x
x
0
x
x
?
?
x
x
0
x
x
x
?
0
x
0
0
?
?
x
x
0
x
x
x
x
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- CobaltStrike.HM
- CobaltStrike.SVA
- CobaltStrike.UJ
- Kryptik.DVM
- Kryptik.DVN
Show More
- Kryptik.DVO
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
