Overview

overview

10

Static

static

Test1

windows10_x64

10

Resubmissions

12-02-2021 17:46

210212-qj1pxv26za 10

12-02-2021 13:49

210212-qh2m1q4eyx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    independent_appraisal.jar

  • Size

    6KB

  • Sample

    210212-qh2m1q4eyx

  • MD5

    e94dbabc70b4396b39d3a3d3e53cf85b

  • SHA1

    bc6f6267313c0a768ed3f8f92f90c1f105cbd949

  • SHA256

    25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36

  • SHA512

    fb2eb9aeb02d111c23cdb61f668affcfb3e847159ce8a158ed39e2f136b9993f8dc68ddbd649d8f13f75ced7f7499c6410861daa1fde8fb15c010c6ccd2f3582

Score
10/10
buercobaltstrikebackdoorloadertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://luasdyfaenflkjasdfh.com:80/ujbgRNkjhThjlikOkihyrdtuyt3s

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://wieubfavbrgaxyaadf.com:80/fjahglknfuidfejfsknclbiuakemfamomffnwuagNFakibgiuhnIfaiurakifahgbaliof83u4inr

Extracted

Family

buer

C2

antipublicwestbank.com

Extracted

Family

cobaltstrike

C2

http://wieubfavbrgaxyaadf.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://213.252.245.98:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://luasdyfaenflkjasdfh.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    wieubfavbrgaxyaadf.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,213.252.245.98,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYd1oQf060FSdDXzjBJqdlpV8YWyEYknN6Z9OBGmUfGC658UlUamK8rmhpR2H5ifIBvJq1FFRmC1P0KRYvvr731B3yvjDDiQR8z4PvUaIroO1g/i6BZZfoJRGl+LlUHFxzg+knc+irsSpjerv2BcnkZk3ajwFA2i/E6E2UtsWVHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

C2

http://wieubfavbrgaxyaadf.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://213.252.245.98:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    wieubfavbrgaxyaadf.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,213.252.245.98,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYd1oQf060FSdDXzjBJqdlpV8YWyEYknN6Z9OBGmUfGC658UlUamK8rmhpR2H5ifIBvJq1FFRmC1P0KRYvvr731B3yvjDDiQR8z4PvUaIroO1g/i6BZZfoJRGl+LlUHFxzg+knc+irsSpjerv2BcnkZk3ajwFA2i/E6E2UtsWVHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Targets

    • Target

      independent_appraisal.jar

    • Size

      6KB

    • MD5

      e94dbabc70b4396b39d3a3d3e53cf85b

    • SHA1

      bc6f6267313c0a768ed3f8f92f90c1f105cbd949

    • SHA256

      25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36

    • SHA512

      fb2eb9aeb02d111c23cdb61f668affcfb3e847159ce8a158ed39e2f136b9993f8dc68ddbd649d8f13f75ced7f7499c6410861daa1fde8fb15c010c6ccd2f3582

    Score
    10/10
    buercobaltstrikebackdoorloadertrojan

    • Buer

      Buer is a new modular loader first seen in August 2019.

      loaderbuer

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Buer Loader

      Detects Buer loader in memory or disk.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks