Overview

overview

10

Static

static

beacon.exe

windows7_x64

10

beacon.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    beacon.exe

  • Size

    383KB

  • Sample

    201208-rj59b6k2fn

  • MD5

    860cdd118f68793a680ad4d22c43619a

  • SHA1

    18ad055e52757826b292e2e05fc9d15e33ccd4bf

  • SHA256

    4f6af6104eb118ee193f1b77124dfcdfbef04af6ae6e55c8e37f2f68e9d526eb

  • SHA512

    f6ce5ba4a0b21e49adde25e934b0f1426d372297033d027131a9afb8b28350ff74a48a1fdaca9b6f069b7164124d96f8e7cf7fa55e79321197b6c805302836ae

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://oow8Phokeing6kai5haH.glowtrow.online:443/gifs/

http://ooLiey0phuoghei2cei7.cleans.online:443/gifs/

http://eiphaem9aifuR1udaizu.badedsho.space:443/image/
Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_idle

    6.7373064e+07

  • dns_sleep

    8.1297408e+08

  • host

    oow8Phokeing6kai5haH.glowtrow.online,/gifs/,ooLiey0phuoghei2cei7.cleans.online,/gifs/,eiphaem9aifuR1udaizu.badedsho.space,/image/

  • http_header1

    AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    5120

  • maxdns

    235

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dfrgui.exe

  • sc_process64

    %windir%\sysnative\dfrgui.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIvdvQtJDW1I3V763zrsMpAmKESYebzPux6wkGUe3JLUJvczek+1wURhIWBSAHODyo9VoVYeV+Fdi5GC0F0c2E/NuZLhEk3eetXSCMFJCMo0wXM3ACHlKjMy1l87lvp4k+BN3+FR+bhR2mps1R+tsO941l1YKmMDez894lUy1mXwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.2384e+09

  • unknown2

    AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /stocks/

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

Targets

    • Target

      beacon.exe

    • Size

      383KB

    • MD5

      860cdd118f68793a680ad4d22c43619a

    • SHA1

      18ad055e52757826b292e2e05fc9d15e33ccd4bf

    • SHA256

      4f6af6104eb118ee193f1b77124dfcdfbef04af6ae6e55c8e37f2f68e9d526eb

    • SHA512

      f6ce5ba4a0b21e49adde25e934b0f1426d372297033d027131a9afb8b28350ff74a48a1fdaca9b6f069b7164124d96f8e7cf7fa55e79321197b6c805302836ae

    Score
    10/10
    cobaltstrikebackdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks