Coll[.]CozyBear[.]zip | Triage

Sharing

General

Target

Coll.CozyBear.zip
Size

13.0MB
MD5

e049fd6d80d9285d156cdf5785a6e28e
SHA1

24752be3d70d5a36280da5b7ecf5b5b77039ac8e
SHA256

300c090861a547a4c211b15b9f45d6dcb976128c21b78b6c38d1cf4c5d998e12
SHA512

31915051a03611c7b00b0c25225cb905322e777c9aa3ebc600206c5bc6665cd407d61a66925b4d5c82ec350d503b7f0c99df2c3d62411e226ebcc73c3aceea56

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
static1/unpack002/CozyBearImplant.bin	upx
static1/unpack002/ImplantCozy.bin	upx
static1/unpack002/SeaDaddyImplant (2).bin	upx
static1/unpack002/SeaDaddyImplant.bin	upx

Files

Coll.CozyBear.zip
.zip

Password: infected
Coll.CozyBear
.zip

Password: infected
APT29miniduke.bin
.dll windows x86

Exports

Exports

ADB_Add
ADB_Cleanup
ADB_Init
ADB_Load
ADB_Release
ADB_Remove
ADB_Setup
DllMain
CozyBearImplant.bin
.exe windows x86
ImplantCozy.bin
.exe windows x86
MinidukeAPT29.bin
.dll windows x86

Exports

Exports

ADB_Add
ADB_Cleanup
ADB_Init
ADB_Load
ADB_Release
ADB_Remove
ADB_Setup
DllMain
Nov2018New!/.DS_Store
Nov2018New!/AudioSes.dll
.dll windows x64

Exports

Exports

PointFunctionCall
Nov2018New!/CozybearNov2018Activity.txt
Nov2018New!/ds7001.zip
.zip
ds7002.lnk
.lnk
Nov2018New!/ds7002.bin
.lnk
Nov2018New!/ds7002.zip
.zip
ds7002.pdf
.pdf
SeaDaddyImplant (2).bin
.exe windows x86
SeaDaddyImplant.bin
.exe windows x86
TrojanCozyBear.bin
.exe windows x86
atiagentCozyBear.bin
.dll windows x86 regsvr32

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer