Overview

overview

10

Static

static

E31B.dll

windows7_x64

10

E31B.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    E31B.dll

  • Size

    381KB

  • Sample

    211007-wdwtcadacn

  • MD5

    275de0fa302b364194f5cccc02de4a6a

  • SHA1

    aee64bec2f84252fc593c2b372086e03507497b5

  • SHA256

    fa2f0b11ec2b3e84560a8a3d686343c7099f1fa5a1694d3c5c2562db662902e2

  • SHA512

    f07ba9b200ae5a3888c68811f215f15019995b2a6379a2bb3f2e4f06138b45e42c6dfe1614579300439b09ee93c33f01e520dd7129cbc9c99d423ba03dc6481a

Score
10/10
cobaltstrike1359593325backdoorsuricatatrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://liveblm.com:443/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    liveblm.com,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAARSG9zdDogbGl2ZWJsbS5jb20AAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAARSG9zdDogbGl2ZWJsbS5jb20AAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA8AAAANAAAABQAAAAhfX2NmZHVpZAAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDs9SVtI04iVtcnsnZ9gxP0aVtFalMrsA/JSi3gE0ahbWhupC8iTfDZ25Lo5/WmWenLLTRx47DoeVmXaK5tMKRo+kb1YeFsLF7f4mDOOWI0z9cYnjZqJQQ5LZN4QKIhycMscs/6aPMC0c4EDVuru6jeWV0y85JbmKSGv+DiIUAYcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    1359593325

Targets

    • Target

      E31B.dll

    • Size

      381KB

    • MD5

      275de0fa302b364194f5cccc02de4a6a

    • SHA1

      aee64bec2f84252fc593c2b372086e03507497b5

    • SHA256

      fa2f0b11ec2b3e84560a8a3d686343c7099f1fa5a1694d3c5c2562db662902e2

    • SHA512

      f07ba9b200ae5a3888c68811f215f15019995b2a6379a2bb3f2e4f06138b45e42c6dfe1614579300439b09ee93c33f01e520dd7129cbc9c99d423ba03dc6481a

    Score
    10/10
    cobaltstrike1359593325backdoorsuricatatrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • suricata: ET MALWARE Cobalt Strike Beacon Activity (GET)

      suricata: ET MALWARE Cobalt Strike Beacon Activity (GET)

      suricata

    • suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2

      suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2

      suricata

    • suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

      suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

      suricata

    • Blocklisted process makes network request

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks