cobaltstrike | 7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8

General

Target

7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe
Size

5.2MB
MD5

a4964bbfeafa37db2098646f4f14942a
SHA1

3bbf4e4adf9075156969de857873165f95280d4a
SHA256

7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8
SHA512

82f96cdeab66f7ed55bf58143ea17c981243ab56d424cc79e98dcec8338636ac12983b7d7f17780b178cc8d79cb35ed52a83355f0dcccdd72bf3228588b7dfc4

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 5 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\VHEgGka.exe	cobalt_reflective_dll
C:\Windows\system\VHEgGka.exe	cobalt_reflective_dll
\Windows\system\YDLZUqW.exe	cobalt_reflective_dll
C:\Windows\system\YDLZUqW.exe	cobalt_reflective_dll
\Windows\system\AMcduhX.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 2 IoCs

Processes:

VHEgGka.exeYDLZUqW.exe

pid process

1528 VHEgGka.exe
1976 YDLZUqW.exe

pid	process
1528	VHEgGka.exe
1976	YDLZUqW.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\VHEgGka.exe	upx
C:\Windows\system\VHEgGka.exe	upx
\Windows\system\YDLZUqW.exe	upx
C:\Windows\system\YDLZUqW.exe	upx
\Windows\system\AMcduhX.exe	upx

Loads dropped DLL 3 IoCs

Processes:

7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe

pid	process
784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe
784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe
784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe

JavaScript code in executable 5 IoCs

Processes:

resource	yara_rule
\Windows\system\VHEgGka.exe	js
C:\Windows\system\VHEgGka.exe	js
\Windows\system\YDLZUqW.exe	js
C:\Windows\system\YDLZUqW.exe	js
\Windows\system\AMcduhX.exe	js

Drops file in Windows directory 3 IoCs

Processes:

7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe

description	ioc	process
File created	C:\Windows\System\VHEgGka.exe	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe
File created	C:\Windows\System\YDLZUqW.exe	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe
File created	C:\Windows\System\AMcduhX.exe	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe

description	pid	process	target process
PID 784 wrote to memory of 1528	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	VHEgGka.exe
PID 784 wrote to memory of 1528	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	VHEgGka.exe
PID 784 wrote to memory of 1528	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	VHEgGka.exe
PID 784 wrote to memory of 1976	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	YDLZUqW.exe
PID 784 wrote to memory of 1976	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	YDLZUqW.exe
PID 784 wrote to memory of 1976	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	YDLZUqW.exe
PID 784 wrote to memory of 1440	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	AMcduhX.exe
PID 784 wrote to memory of 1440	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	AMcduhX.exe
PID 784 wrote to memory of 1440	784	7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe	AMcduhX.exe

C:\Users\Admin\AppData\Local\Temp\7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe
"C:\Users\Admin\AppData\Local\Temp\7591a1f8cb3bb8bd8cce16eece47e9d29c980824a5895291e4146f37ba3eeac8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\System\VHEgGka.exe
C:\Windows\System\VHEgGka.exe
2⤵
- Executes dropped EXE
PID:1528

C:\Windows\System\YDLZUqW.exe
C:\Windows\System\YDLZUqW.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\System\AMcduhX.exe
C:\Windows\System\AMcduhX.exe
2⤵
PID:1440

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\VHEgGka.exe
MD5
c3f1af8abf20f307b2edcac41dc615f5

SHA1
5f48e24dbac14a47d436bb277545f4328116bc26

SHA256
96b050e6d4548e321a5684d7f625610809a5223f0d48a0f67381a3b7785b95b6

SHA512
62d9955005df15b45cff836f76eed3e94c5a2d9345e9bcb58f1cda77a9d6aca4afe036518a14bcdaf1190162f644efca315554d5622a9b0aa2655b10c8191999

Download Submit
C:\Windows\system\YDLZUqW.exe
MD5
1a354d5428a877805a4f456293de82fd

SHA1
847443ae2c52a10b4d9aaf6508eaf611e76493c4

SHA256
149643767422e0df15143553bd83514600410e45c0da6ac87bd4913d2d968633

SHA512
489297a6dc0340940d3bd0819c4bc7be19490f4373f68d9857a4cdbbddb53795a059b5c1feb05b8423b676c8dc2f646bebd45cd70ed54feb2d9553a52a2d5ec0

Download Submit
\Windows\system\AMcduhX.exe
MD5
7cc0142c06d96e4bbd66b114494201ce

SHA1
28b306016eb14cb69b02ec192a1af42a03433eb2

SHA256
9d72697838f12b3ed518078d9a55fe6d236670a10787bed87d82aea8f219d0d0

SHA512
d711f8da14c74e8ab1cbabe11d9b18743fd4bfed6b82b64abdb0f7d2229e02e329110691003c01383f11dacb5e0f15eb56a57d2301a4dfabc034cfdcc73c80f8

Download Submit
\Windows\system\VHEgGka.exe
MD5
c3f1af8abf20f307b2edcac41dc615f5

SHA1
5f48e24dbac14a47d436bb277545f4328116bc26

SHA256
96b050e6d4548e321a5684d7f625610809a5223f0d48a0f67381a3b7785b95b6

SHA512
62d9955005df15b45cff836f76eed3e94c5a2d9345e9bcb58f1cda77a9d6aca4afe036518a14bcdaf1190162f644efca315554d5622a9b0aa2655b10c8191999

Download Submit
\Windows\system\YDLZUqW.exe
MD5
1a354d5428a877805a4f456293de82fd

SHA1
847443ae2c52a10b4d9aaf6508eaf611e76493c4

SHA256
149643767422e0df15143553bd83514600410e45c0da6ac87bd4913d2d968633

SHA512
489297a6dc0340940d3bd0819c4bc7be19490f4373f68d9857a4cdbbddb53795a059b5c1feb05b8423b676c8dc2f646bebd45cd70ed54feb2d9553a52a2d5ec0

Download Submit
memory/1440-7-0x0000000000000000-mapping.dmp

Download
memory/1528-1-0x0000000000000000-mapping.dmp

Download
memory/1976-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads