Overview
overview
10Static
static
8APT29miniduke.bin.dll
windows7_x64
1APT29miniduke.bin.dll
windows10_x64
3CozyBearIm...in.exe
windows7_x64
1CozyBearIm...in.exe
windows10_x64
1ImplantCozy.bin.exe
windows7_x64
1ImplantCozy.bin.exe
windows10_x64
1MinidukeAPT29.bin.dll
windows7_x64
1MinidukeAPT29.bin.dll
windows10_x64
3Nov2018New...es.dll
windows7_x64
10Nov2018New...es.dll
windows10_x64
10ds7002.lnk
windows7_x64
10ds7002.lnk
windows10_x64
10Nov2018New...in.lnk
windows7_x64
3Nov2018New...in.lnk
windows10_x64
3ds7002.pdf
windows7_x64
1ds7002.pdf
windows10_x64
1SeaDaddyIm...in.exe
windows7_x64
1SeaDaddyIm...in.exe
windows10_x64
1SeaDaddyIm...in.exe
windows7_x64
1SeaDaddyIm...in.exe
windows10_x64
1TrojanCozy...in.exe
windows7_x64
TrojanCozy...in.exe
windows10_x64
8atiagentCo...in.dll
windows7_x64
1atiagentCo...in.dll
windows10_x64
1General
-
Target
Coll.CozyBear.zip
-
Size
13.0MB
-
Sample
210306-dv26adly7x
-
MD5
e049fd6d80d9285d156cdf5785a6e28e
-
SHA1
24752be3d70d5a36280da5b7ecf5b5b77039ac8e
-
SHA256
300c090861a547a4c211b15b9f45d6dcb976128c21b78b6c38d1cf4c5d998e12
-
SHA512
31915051a03611c7b00b0c25225cb905322e777c9aa3ebc600206c5bc6665cd407d61a66925b4d5c82ec350d503b7f0c99df2c3d62411e226ebcc73c3aceea56
Static task
static1
Behavioral task
behavioral1
Sample
APT29miniduke.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
APT29miniduke.bin.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
CozyBearImplant.bin.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
CozyBearImplant.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
ImplantCozy.bin.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
ImplantCozy.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
MinidukeAPT29.bin.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
MinidukeAPT29.bin.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Nov2018New!/AudioSes.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
Nov2018New!/AudioSes.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
ds7002.lnk
Resource
win7v20201028
Behavioral task
behavioral12
Sample
ds7002.lnk
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Nov2018New!/ds7002.bin.lnk
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Nov2018New!/ds7002.bin.lnk
Resource
win10v20201028
Behavioral task
behavioral15
Sample
ds7002.pdf
Resource
win7v20201028
Behavioral task
behavioral16
Sample
ds7002.pdf
Resource
win10v20201028
Behavioral task
behavioral17
Sample
SeaDaddyImplant (2).bin.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
SeaDaddyImplant (2).bin.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
SeaDaddyImplant.bin.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
SeaDaddyImplant.bin.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
TrojanCozyBear.bin.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
TrojanCozyBear.bin.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
atiagentCozyBear.bin.dll
Resource
win7v20201028
Behavioral task
behavioral24
Sample
atiagentCozyBear.bin.dll
Resource
win10v20201028
Malware Config
Extracted
cobaltstrike
http://pandorasong.com:443/access/
-
access_type
512
-
beacon_type
2048
-
host
pandorasong.com,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
4352
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
300000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.382016e+08
-
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/radio/xmlrpc/v45
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Targets
-
-
Target
APT29miniduke.bin
-
Size
140KB
-
MD5
f08ef840f59cbd4c4695e36ef3eaa9d7
-
SHA1
68d3673953dc1e3b6273931572f425402c0ecb1c
-
SHA256
dd215d76bcfd72ebcfb50ccfeb9fb1703af4bbf4821de225009f43fc4e08e432
-
SHA512
9b00ed01389965266ba957109ec46e01f039103986a479c447ad7ab898349f4fe6453204e3813031e276e2da1953a91e9a27dda88402dcaf90ddc201ee0c7718
Score3/10 -
-
-
Target
CozyBearImplant.bin
-
Size
3.0MB
-
MD5
ce227ae503e166b77bf46b6c8f5ee4da
-
SHA1
cb872edd1f532c10d0167c99530a65c4d4532a1e
-
SHA256
b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae
-
SHA512
529a7c357ba6588482dff00d6d8c245e4c8b97c23ad1f48e1542406c24c6a72f3e1f02752e2ed3cbb904880f3f7dfbab66d9d50ec24ecc3373aba4c334e397b8
Score1/10 -
-
-
Target
ImplantCozy.bin
-
Size
3.0MB
-
MD5
004b55a66b3a86a1ce0a0b9b69b95976
-
SHA1
e2b98c594961aae731b0ccee5f9607080ec57197
-
SHA256
6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536
-
SHA512
30ad634e6491bed01cdb7ca448d03094c568a99f786e1d82702d304df041a76b8c062248840c9d7d5572a44a4d47d2a6024a35ff528ad56302273baf2627d308
Score1/10 -
-
-
Target
MinidukeAPT29.bin
-
Size
140KB
-
MD5
887489b27f6e7053ec2702dc8ba51af7
-
SHA1
79176c5ad3aeca542f9043657bacf55368a63106
-
SHA256
c485cbcd5b21db8029654bd47879f086feed41492aebed33a9afe9d73f5069e7
-
SHA512
2a5961a14851ada815319f16af0f44d27c35dfdee041a73e7da985a085964a1fb5cae08e8f40c41436800a137f284d945a3e5bfd04a46c37703daec3820988a1
Score3/10 -
-
-
Target
Nov2018New!/AudioSes.dll
-
Size
287KB
-
MD5
16bbc967a8b6a365871a05c74a4f345b
-
SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf
-
SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
-
SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
Score10/10 -
-
-
Target
ds7002.lnk
-
Size
392KB
-
MD5
6ed0020b0851fb71d5b0076f4ee95f3c
-
SHA1
e431261c63f94a174a1308defccc674dabbe3609
-
SHA256
2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
-
SHA512
2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3
Score10/10-
Loads dropped DLL
-
-
-
Target
Nov2018New!/ds7002.bin
-
Size
392KB
-
MD5
6ed0020b0851fb71d5b0076f4ee95f3c
-
SHA1
e431261c63f94a174a1308defccc674dabbe3609
-
SHA256
2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
-
SHA512
2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3
Score3/10 -
-
-
Target
ds7002.pdf
-
Size
85KB
-
MD5
313f4808aa2a2073005d219bc68971cd
-
SHA1
053fb60530e884851eb8b6aebbec4570ec788d4a
-
SHA256
b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1
-
SHA512
1d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d
Score1/10 -
-
-
Target
SeaDaddyImplant (2).bin
-
Size
3.0MB
-
MD5
004b55a66b3a86a1ce0a0b9b69b95976
-
SHA1
e2b98c594961aae731b0ccee5f9607080ec57197
-
SHA256
6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536
-
SHA512
30ad634e6491bed01cdb7ca448d03094c568a99f786e1d82702d304df041a76b8c062248840c9d7d5572a44a4d47d2a6024a35ff528ad56302273baf2627d308
Score1/10 -
-
-
Target
SeaDaddyImplant.bin
-
Size
3.0MB
-
MD5
ce227ae503e166b77bf46b6c8f5ee4da
-
SHA1
cb872edd1f532c10d0167c99530a65c4d4532a1e
-
SHA256
b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae
-
SHA512
529a7c357ba6588482dff00d6d8c245e4c8b97c23ad1f48e1542406c24c6a72f3e1f02752e2ed3cbb904880f3f7dfbab66d9d50ec24ecc3373aba4c334e397b8
Score1/10 -
-
-
Target
TrojanCozyBear.bin
-
Size
330KB
-
MD5
3d3363598f87c78826c859077606e514
-
SHA1
8b357ff017df3ed882b278d0dbbdf129235d123d
-
SHA256
01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9
-
SHA512
11a9b8dc666877695a7ea0683c83d057b7539fae7e445250d71fd34fdc557df946b4938bf419ddbdc5f4439f3d828ddb4d83d3a9f7f18cb92454da6fdfd99b24
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
atiagentCozyBear.bin
-
Size
52KB
-
MD5
452ee2968ec82c7e30c21c828b330c17
-
SHA1
00384c359e2931fb922b034fca2707e1b2a25396
-
SHA256
43cd9ef6904c35c6854bf59d99731a05048af9e870261064a255db0181930fad
-
SHA512
bef788d69d8d75579cbf6499b4c2aec7c413cc56fea2a51efc4dc7742f52648fff3b64b78b3d8544d81ee473472521d352f931b56564a88031c5116444b65926
Score1/10 -