Overview

overview

10

Static

static

fc008b1f_b...is.exe

windows7_x64

10

fc008b1f_b...is.exe

windows10_x64

10

Resubmissions

19-01-2023 23:34

230119-3ke8hahf97 10

03-05-2021 14:01

210503-bb13sk87nn 10

Analysis

  • max time kernel
    131s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    03-05-2021 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc008b1f_by_Libranalysis.exe

  • Size

    813KB

  • MD5

    fc008b1ff424b45bc9e616cfd8aaeae4

  • SHA1

    b526df575129071d4627dbe0b27f40e525dd0c43

  • SHA256

    3f9cf521bf11dfe1a5b6baebde88f8eaac8e851ed8bcf220109d081b4a3f0b6f

  • SHA512

    f66ecaaa7b6dd97de3e536554391f94e5d11112488fd23953e6d5382bb524a5dd9e9d4fc0fd38bdcefc634e1af862decc5353e7d394d7ee2528295f7be49ad32

Score
10/10
cobaltstrike0backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://192.99.250.7:80/r-arrow.js

Attributes
  • access_type

    512

  • host

    192.99.250.7,/r-arrow.js

  • http_header1

    AAAAEAAAABFIb3N0OiBuaWtvbWluLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAFUFjY2VwdC1FbmNvZGluZzogZ3ppcAAAAAoAAAAlQWNjZXB0LUxhbmd1YWdlOiBlbi1HQjtxPTAuOSwgKjtxPTAuNwAAAAcAAAAAAAAAAwAAAAMAAAACAAAADHJlZ19mYl9nYXRlPQAAAAYAAAAGQ29va2llAAAACQAAAAxQYXllcklEPXRydWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABFIb3N0OiBuaWtvbWluLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAADAAAAAwAAAAIAAAAOZGVjb21wb3NpdGlvbj0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    10496

  • polling_time

    62222

  • port_number

    80

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.272630272e+09

  • unknown2

    AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /ki

  • user_agent

    Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0

  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc008b1f_by_Libranalysis.exe
    "C:\Users\Admin\AppData\Local\Temp\fc008b1f_by_Libranalysis.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo usKgACrQlXGRauSoRGETcxGDXHqhRXBNnJywyuzKMG>"C:\Users\Admin\AppData\Local\Temp\DEM1C5.tmp"&exit
      2⤵
        PID:1192

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DEM1C5.tmp
      MD5

      8c9dd17caf3522d0106e46e62c88a613

      SHA1

      4d6e184589183d93b2cd89626b0030c4f68e4a81

      SHA256

      9a736c66045892fb81b8736bc5b3fec78db1f4fdf958bb46b7397708035e1787

      SHA512

      b552e59ebf5e7f614620c7fa24fea7a054439c924b34e3680bec0e776ed54bc3c0bdacec0fc8e053da3d08b6b18dfb82abc5a27cb9836a1551da83c1da84e91d

      Download Submit
    • memory/1084-61-0x00000000002B0000-0x00000000002E3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1084-62-0x0000000000940000-0x00000000009C7000-memory.dmp
      Filesize

      540KB

      Download
    • memory/1084-63-0x00000000752F1000-0x00000000752F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1084-64-0x0000000000940000-0x00000000009C7000-memory.dmp
      Filesize

      540KB

      Download
    • memory/1192-59-0x0000000000000000-mapping.dmp
      Download