General

  • Target

    Ihopot2.dll

  • Size

    404KB

  • Sample

    211214-vw9mgsgbe3

  • MD5

    c681c785d6055a1d5a8fe74403c9dfe9

  • SHA1

    50713534b62404d6f502a3efa129460fd7fb6927

  • SHA256

    f9c4a119234df78e1ad71b10fb0bf18622fd5245b72b93e5b71992f20cb9fd2e

  • SHA512

    bdd5135e3092c3a69340ef4790756d3fe1be933a83d3ab65c3b80d2aa2a134249d70ae67027605035b9e16e792d8a4930af73124ac0d8280674dd3d44f9a8e62

Malware Config

Extracted

Family

cobaltstrike

C2

http://bqtconsulting.com:443/image-directory/templates.mp3

Attributes
  • user_agent

    Host: bqtconsulting.com Connection: close Accept: image/jpeg Accept-Language: en-GB;q=0.9, *;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246

Extracted

Family

cobaltstrike

Botnet

305419776

C2

http://bqtconsulting.com:443/da.html

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    bqtconsulting.com,/da.html

  • http_header1

    AAAAEAAAABdIb3N0OiBicXRjb25zdWx0aW5nLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAAAAAAgAAAADAAAAAgAAAAVIU0lEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABdIb3N0OiBicXRjb25zdWx0aW5nLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAABAAAACwAAAAMAAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    11008

  • polling_time

    57750

  • port_number

    443

  • sc_process32

    %windir%\syswow64\svchost.exe

  • sc_process64

    %windir%\sysnative\svchost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCIb457MN0OxBGqjtu2Ps94Quqgo0FAOwvyWXZK225TmZ4JymCqXghrwYOcQgz1rXZeQkoOjEomrqjIEnpxYzaQfmCsBw7d95XXIlpznmf2Pma4kLzC6W8/zmW9NN6ojMS+dPMe3nzA5qrABXXCd2g/JGMYUb6fIp2oVLeQP83tVQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    7.8457344e+07

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /copyright

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246

  • watermark

    305419776

Targets

    • Target

      Ihopot2.dll

    • Size

      404KB

    • MD5

      c681c785d6055a1d5a8fe74403c9dfe9

    • SHA1

      50713534b62404d6f502a3efa129460fd7fb6927

    • SHA256

      f9c4a119234df78e1ad71b10fb0bf18622fd5245b72b93e5b71992f20cb9fd2e

    • SHA512

      bdd5135e3092c3a69340ef4790756d3fe1be933a83d3ab65c3b80d2aa2a134249d70ae67027605035b9e16e792d8a4930af73124ac0d8280674dd3d44f9a8e62

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Blocklisted process makes network request

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Tasks