General

  • Target

    oben32.dll

  • Size

    354KB

  • Sample

    211214-q5xl3afgf6

  • MD5

    b873bfa8dec8c3a1f62c30903e59e849

  • SHA1

    2c4aaefe0c20843db9b9f4996d42c7563b081097

  • SHA256

    fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507

  • SHA512

    a8c0a467788335297f34b9a60401b0ef50e023d0efc0b77eaf560decc785ed2c2b79534e14451aab747e307baa057fad0956e2941ff28b9995d4dbbd6e762457

Malware Config

Extracted

Family

cobaltstrike

C2

http://api.musicbee.getlist.destinycraftpe.com:443/azure/v2/api

Attributes
user_agent
Content-Type: application/json accept: */* cookie: HSID=cl0gxhLgPAirQvdbj sec-ch-ua: Chromium;v=91 sec-ch-ua-mobile: ?0 sec-fetch-site: same-site sec-fetch-mode: cors sec-fetch-dest: empty accept-encoding: gzip, deflate accept-language: en X-Amz-Cf-Pop: HTL55-C2 User-Agent: MusicBee/3.4

Targets

    • Target

      oben32.dll

    • Size

      354KB

    • MD5

      b873bfa8dec8c3a1f62c30903e59e849

    • SHA1

      2c4aaefe0c20843db9b9f4996d42c7563b081097

    • SHA256

      fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507

    • SHA512

      a8c0a467788335297f34b9a60401b0ef50e023d0efc0b77eaf560decc785ed2c2b79534e14451aab747e307baa057fad0956e2941ff28b9995d4dbbd6e762457

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Suspicious use of NtCreateProcessExOtherParentProcess

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation