metasploit | a15161d2967f272e94d617c7053bbcdbf0ee09148a0d9b13c52a69da077d3a01 | Triage

Sharing

General

Target

2020-11-04-Hancitor-and-Cobalt-Stri.zip
Size

906KB
Sample

201109-z8ssjz4t1e
MD5

890eeb424ed41eea3483c5b541d41972
SHA1

7e268719450b8cd648152af10e0565b9ff6509fe
SHA256

a15161d2967f272e94d617c7053bbcdbf0ee09148a0d9b13c52a69da077d3a01
SHA512

ecf45cabcd7308227a28efde3d87b0e9a9ef0c455c26da72f40fbc086608c3114611f1c91929d6321b2a030789e9d9e6535c94cc4d683e4f95f87aed4ed02e26

Score

10^/10

metasploit backdoor discovery spyware trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://31.44.184.131:80/sPIP

Attributes

headers User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)

Targets

- Target
  
  2020-11-04-Cobalt-Strike-EXE.bin
- Size
  
  14KB
- MD5
  
  da977ca12c4990e59598897e40e4e8d7
- SHA1
  
  50ffd5e0e0ac0876f61885f610d5d4f50465cf84
- SHA256
  
  8f3eb6ca303de759c0530906ad4675432d7d3361641b46413e12f325b4028081
- SHA512
  
  c7af00076e2cc905a57d16fe1891b16a98ff6a0695612a50a781114e0dc86926a1aa36cdaa9355a46aff258c2f922ecbcb8cda727206bf1145a7b68e601cc079
Score

10^/10

metasploit backdoor trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
behavioral1 behavioral2
- Target
  
  2020-11-04-Ficker-Stealer-EXE.bin
- Size
  
  266KB
- MD5
  
  1db6bd4d13cb9966e8875b3812aef71d
- SHA1
  
  974c46a807d2d680dad5b6d63c38dd0e06e1ed68
- SHA256
  
  9bdbb8dde9ad9be8d9303df1697e13a0f846cca95bc9e41d513c1f5f2a7a37b3
- SHA512
  
  550405e7409846ab8673b6eacd1a8132d0582b3cde9360f92d812a9e399ac62459798839ae76e57144933fca2fbe36d89bf66fe72df668774eb5a2514a34ae4b
Score

7^/10

discovery spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  2020-11-04-Hancitor-EXE.bin
- Size
  
  603KB
- MD5
  
  6b70a0ca3e7d80568109ab304c7b0fb0
- SHA1
  
  476c1b11485a6d679d5bbba3b085e80361bff340
- SHA256
  
  cca24cf66321e5b2f63bb52b5183e9cc437bf1b59d5f34043307dbd3ab02ae62
- SHA512
  
  8577d1175d02ba9c3d190e0cf0634e2a257ac97ea36348d3db6e7719ed1d50a37bacb271f2aca7889598a874bd25d182639dc6dade9994326c2e19120413ce72
Score

6^/10
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  2020-11-04-XLS-file-with-macro-for-Hancitor.bin
- Size
  
  293KB
- MD5
  
  6ffb46347dea6d4d021daeaf48afef79
- SHA1
  
  4970fa3d88f383be0b2f31eea97adc4e61b5bd21
- SHA256
  
  7095724f5d80a968bcb7c0495f1689abaed255db80f12c9915dfa4b5414941b9
- SHA512
  
  dae8af4adb9ba99a633099d2f4b4937669d258cd0901b59fcbe95fd0247b5c073b70f14a4ca5075d1179e1b7209184b8f6e5787a2a0235ca7430a7a0af6fdcfd
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

metasploitbackdoortrojan

behavioral2

metasploitbackdoortrojan

behavioral3

discoveryspyware

behavioral4

discoveryspyware

behavioral5

behavioral6

behavioral7

behavioral8