General

  • Target

    cs.exe

  • Size

    219KB

  • Sample

    211005-ngklgshhhn

  • MD5

    7c766b8bfaba529f3752255eebe5e9d2

  • SHA1

    e877ff6dd108883a904742ce23ebd5e8e5151672

  • SHA256

    e16f25682655887cfe2bbaf1634210b901fbc9a8c17ffc7bad06912dfe6e8010

  • SHA512

    5ce71fff7292a3fc207a8beab57792fd04f8441cb2829f5b18be73b9a372799d57f50b17209633d7fb12cb90b0bdecd3c025c7c1018ef48150d0941b275b4324

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://pypi.python.org:443/questions/32251816/c-sharp-directives-compilation-error

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    pypi.python.org,/questions/32251816/c-sharp-directives-compilation-error

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAcAAAAAAAAACAAAAAIAAAAFcHJvdj0AAAABAAAADjtub3RpY2UtY3R0PSExAAAAAQAAAA87X2dhPUdBMS4yLjk5MjQAAAABAAAABztfZ2F0PTEAAAABAAAAEDtfX3FjYT1QMC0yMTQ0NTkAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiBlbgAAAAcAAAABAAAACAAAAAIAAAAFcHJvdj0AAAABAAAADjtub3RpY2UtY3R0PSExAAAAAQAAAA87X2dhPUdBMS4yLjk5MjQAAAABAAAABztfZ2F0PTEAAAABAAAAEDtfX3FjYT1QMC0yMTQ0NTkAAAAGAAAABkNvb2tpZQAAAAcAAAAAAAAADQAAAAUAAAAJYW5zd2VydGFiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    GET

  • jitter

    5632

  • polling_time

    35000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAJ9HSCGpsUISIdcX9KSquGTBtNV2BM1E1rv+Ft+mdYImNxh8Nz4froDPf/4X+lKkxgW23GjBft5PITEy/oAJK/Q65fMN90V89aOXvFqTE43YBWaqDawPzPt6cDALvUtnULBWceckc0qo9kOwxn9N4aAi7RLBSP9beFe5VEP7yUQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.445232896e+09

  • unknown2

    AAAABAAAAAEAAAQ/AAAAAgAAABEAAAACAAAATgAAAAIAAAAHAAAAAgAAAHMAAAACAAAAXgAAAAIAAAABAAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    1.610612736e+09

  • uri

    /questions/32251817/c-sharp-directives-compilation-error

  • user_agent

    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36

  • watermark

    1359593325

Targets

    • Target

      cs.exe

    • Size

      219KB

    • MD5

      7c766b8bfaba529f3752255eebe5e9d2

    • SHA1

      e877ff6dd108883a904742ce23ebd5e8e5151672

    • SHA256

      e16f25682655887cfe2bbaf1634210b901fbc9a8c17ffc7bad06912dfe6e8010

    • SHA512

      5ce71fff7292a3fc207a8beab57792fd04f8441cb2829f5b18be73b9a372799d57f50b17209633d7fb12cb90b0bdecd3c025c7c1018ef48150d0941b275b4324

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • suricata: ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow Profile)

      suricata: ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow Profile)

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Tasks