Overview

overview

10

Static

static

10

bed512b1b9...b6.exe

windows7_x64

10

bed512b1b9...b6.exe

windows10_x64

10

Resubmissions

15-11-2021 20:14

211115-y1dx6agddn 10

02-08-2021 18:10

210802-jwy76dmvpn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bed512b1b901f03d421d39132a6c75b6.exe

  • Size

    219KB

  • Sample

    211115-y1dx6agddn

  • MD5

    bed512b1b901f03d421d39132a6c75b6

  • SHA1

    2307140fc122b7b732e7f674f092b7ad1345e503

  • SHA256

    447c7b72c9960482380551b0301ad0b0357ed00cba2f60f6ccc26fd766761df2

  • SHA512

    5ccc43e9ae0dceca9e3ec7f66461d627f76bd4e6866587cad9d63b20590e45849a895530f5bb1a7f964b71ea86350a6899bc9a9d6a4cde95966655d002284900

Score
10/10
cobaltstrike1359593325backdoorsuricatatrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://onlineworkercz.com:443/kj

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    onlineworkercz.com,/kj

  • http_header1

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAATQWNjZXB0LUVuY29kaW5nOiBicgAAAAoAAAA9QWNjZXB0LUxhbmd1YWdlOiBmci1DSCwgZnI7cT0wLjksIGVuO3E9MC44LCBkZTtxPTAuNywgKjtxPTAuNQAAAAcAAAAAAAAACwAAAAMAAAACAAAADHJlZ19mYl9nYXRlPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAgAAAADAAAAAgAAAAVyZWFkPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    10496

  • polling_time

    55490

  • port_number

    443

  • sc_process32

    %windir%\syswow64\WUAUCLT.exe

  • sc_process64

    %windir%\sysnative\WUAUCLT.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCuO+TfDI6WktSbvs/3blseLjSFe79qLFKTt0IYnt1gzL1j6v4f5qwqwofkf3DxYOUSJFq0Wbv1C6xmKqhpjr8ksoOtQgajegxygMswgFcKpNQUw0khVk9UY2ZaOpqsVtVo1ZFE+/hYYe2lBJQwqwsy/SuA61onkDio1CieulxiOwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.272630272e+09

  • unknown2

    AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /media

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9

  • watermark

    1359593325

Targets

    • Target

      bed512b1b901f03d421d39132a6c75b6.exe

    • Size

      219KB

    • MD5

      bed512b1b901f03d421d39132a6c75b6

    • SHA1

      2307140fc122b7b732e7f674f092b7ad1345e503

    • SHA256

      447c7b72c9960482380551b0301ad0b0357ed00cba2f60f6ccc26fd766761df2

    • SHA512

      5ccc43e9ae0dceca9e3ec7f66461d627f76bd4e6866587cad9d63b20590e45849a895530f5bb1a7f964b71ea86350a6899bc9a9d6a4cde95966655d002284900

    Score
    10/10
    cobaltstrike1359593325backdoorsuricatatrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • suricata: ET MALWARE Observed Cobalt Strike CnC Domain (onlineworkercz .com in TLS SNI)

      suricata: ET MALWARE Observed Cobalt Strike CnC Domain (onlineworkercz .com in TLS SNI)

      suricata
    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks