Overview

overview

10

Static

static

7

080ee6c068...3a.exe

windows7_x64

10

080ee6c068...3a.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.7z

  • Size

    3.1MB

  • Sample

    220119-wzszkscce9

  • MD5

    13394cc693fe018d947cfb169b065fe5

  • SHA1

    7a641c617d8056f9bbba07cdc9a7ca66e647d2c5

  • SHA256

    d850202961a4ad215a5779c3794a11eeb82da11ab6ebdb52400e6b60fb1bdc2f

  • SHA512

    5a1872864ba022dfac2d2ccb6c598d8434f53a5b3dfc72939a8728393d30e12d7b46607d545f35cdaf6cd43172a38e94354bc45b0e31b01dc07e3a2e599f478f

Score
10/10
cobaltstrikebackdoorevasionthemidatrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://106.12.99.85:80/qu6A

Attributes
  • user_agent

    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Targets

    • Target

      080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a

    • Size

      3.1MB

    • MD5

      b35f113ac3f89dc786064a81431ca438

    • SHA1

      bd876ac81afbceaf4d4fc17e99c4f7012a92d4a4

    • SHA256

      080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a

    • SHA512

      1ec646e25c6d3242cb27e6b1c0d000e0dacdd2e927d7ae4422065f8905662f55ef9286eda7e9719fb083854fae87325dc0e3a4313ac800d2142fcfdd707dd822

    Score
    10/10
    cobaltstrikebackdoorevasiontrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks