Overview

overview

10

Static

static

a88e83a880...ir.exe

windows7_x64

10

a88e83a880...ir.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    08-01-2022 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a88e83a8808d0978892705e0db49b784.exe.vir.exe

  • Size

    19KB

  • MD5

    a88e83a8808d0978892705e0db49b784

  • SHA1

    4f98927d80bc29e7dcc5db96ea772fc260084cf6

  • SHA256

    6c737ddbc304760111281fc03f544a9fa7529f15c85241f57cfae9fce79c5856

  • SHA512

    1d2da9c21c870e4b4e4cb66fadc14930868d9f0f83fcb318258b8aba99f5fb969ee2bbeab21df50e94d57e4fd1824357fec06631b65208f8b2326f57d6e2cf1c

Score
10/10
cobaltstrike0backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://www.fscoode.xyz:2083/dJeJ

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (Trident/7.0; LCJB; rv:11.0) Iike Gecko

Extracted

Family

cobaltstrike

Botnet

0

C2

http://www.fscoode.xyz:2083/access/

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    www.fscoode.xyz,/access/

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAAEhDb29raWU6ICBfX3V0bWE9MjEwMDc3NjIyLjE3MzI0Mzk5OTUuMTQzMzIwMTQ2Mi4xNDAzMjA0MzcyLjEzODUyMDI0OTMuMjsAAAAJAAAACXZlcnNpb249NAAAAAkAAAAObGlkPTE1ODI1MDI3MjQAAAAHAAAAAAAAAAgAAAAFAAAABXRva2VuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAHAAAAAAAAAAUAAAADcmlkAAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAkAAAAfbWV0aG9kPWdldFNlYXJjaFJlY29tbWVuZGF0aW9ucwAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    5376

  • polling_time

    1000

  • port_number

    2083

  • sc_process32

    %windir%\syswow64\WerFault.exe

  • sc_process64

    %windir%\sysnative\WerFault.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbpXVpOkYGrwsZZkZJfk9eJ2rNap4IcIBRhWbvHtYFQGqn4wznr9nvbZsofxNRHuPEjC4Gouxd5h/c/TiROj9uKeeNcPEYtlSOFDmFw2QbJWxG02IC/Iu4GTNgT37h+cvgPU/MXFTu3VCC6Bv4iMzcebXCVogqbLzo32i1TZQ8vwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.4764032e+09

  • unknown2

    AAAABAAAAAgAAAACAAAAEAAAAAIAAAAQAAAAAgAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /radio/xmlrpc/v35

  • user_agent

    Mozilla/5.0 (Trident/7.0; LCJB; rv:11.0) Iike Gecko

  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a88e83a8808d0978892705e0db49b784.exe.vir.exe
    "C:\Users\Admin\AppData\Local\Temp\a88e83a8808d0978892705e0db49b784.exe.vir.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe
      2⤵
        PID:1104

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1104-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1104-59-0x00000000001E0000-0x0000000000216000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1104-60-0x0000000000060000-0x0000000000091000-memory.dmp
      Filesize

      196KB

      Download
    • memory/1588-54-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1588-55-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1588-56-0x0000000004260000-0x0000000004660000-memory.dmp
      Filesize

      4.0MB

      Download