Overview

overview

10

Static

static

0e999a347d...0a.dll

windows7_x64

10

0e999a347d...0a.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0e999a347d3de40fd0b554bb56624e68e0e26e219c970018edfd9f7949cf7a0a

  • Size

    21KB

  • Sample

    210428-78616vx4hn

  • MD5

    e87db96cd174302eb50197838cd0e600

  • SHA1

    42a56aeb563dbd3ca10e1b3e5470d2214ddd44de

  • SHA256

    0e999a347d3de40fd0b554bb56624e68e0e26e219c970018edfd9f7949cf7a0a

  • SHA512

    45084a5c9d796465dc9775d1d55d2f232e164a24fb0e5adc601ca4766974ef6c06a0b55e87b85d70bdc0efe38b1095e94e4d73291828c345a3d54766760b1ce4

Score
10/10
cobaltstrikemetasploit1580103814backdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://194.15.112.119:443/wp/clients/windows10.0-kb4487020-x64_c24ea4717e559b13e5.cab

Extracted

Family

cobaltstrike

Botnet

1580103814

C2

http://asureupdate.tech:443/c/msdownload/update/2018/04/lp_2b2fe45d38601f8ee9f0fef

http://194.15.112.119:443/c/msdownload/update/2018/04/lp_2b2fe45d38601f8ee9f0fef
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    asureupdate.tech,/c/msdownload/update/2018/04/lp_2b2fe45d38601f8ee9f0fef,194.15.112.119,/c/msdownload/update/2018/04/lp_2b2fe45d38601f8ee9f0fef

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAgSG9zdDogZG93bmxvYWQud2luZG93c3VwZGF0ZS5jb20AAAAHAAAAAAAAAAMAAAACAAAACFNFU1NJT049AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAgSG9zdDogZG93bmxvYWQud2luZG93c3VwZGF0ZS5jb20AAAAHAAAAAAAAAAUAAAAJdXBkYXRlX2lkAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    14080

  • polling_time

    55423

  • port_number

    443

  • sc_process32

    %windir%\syswow64\mstsc.exe

  • sc_process64

    %windir%\sysnative\mstsc.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIxFQoQgA1ohF/81E6jHydAStU+7n2UivmZIExLW/w7Tai+MVSyk7estr+klSjl5LnH+0IgKXxOfogBOSTboCS88piP2vEqCJQ0tDzFxZuukZd5aTTxhLseQI1V2uWrc9iyfETt6Rtkqj40JmCrh2+RJTSBezpd7vmhy+Sf0ePJQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /c/msdownload/update/2019/05/lp_2b2fe45d38601f8ee9f0fef

  • user_agent

    Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.0

  • watermark

    1580103814

Targets

    • Target

      0e999a347d3de40fd0b554bb56624e68e0e26e219c970018edfd9f7949cf7a0a

    • Size

      21KB

    • MD5

      e87db96cd174302eb50197838cd0e600

    • SHA1

      42a56aeb563dbd3ca10e1b3e5470d2214ddd44de

    • SHA256

      0e999a347d3de40fd0b554bb56624e68e0e26e219c970018edfd9f7949cf7a0a

    • SHA512

      45084a5c9d796465dc9775d1d55d2f232e164a24fb0e5adc601ca4766974ef6c06a0b55e87b85d70bdc0efe38b1095e94e4d73291828c345a3d54766760b1ce4

    Score
    10/10
    metasploitbackdoortrojancobaltstrike1580103814

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks