Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.7z
Size

3MB
Sample

220119-wzszkscce9
MD5

13394cc693fe018d947cfb169b065fe5
SHA1

7a641c617d8056f9bbba07cdc9a7ca66e647d2c5
SHA256

d850202961a4ad215a5779c3794a11eeb82da11ab6ebdb52400e6b60fb1bdc2f
SHA512

5a1872864ba022dfac2d2ccb6c598d8434f53a5b3dfc72939a8728393d30e12d7b46607d545f35cdaf6cd43172a38e94354bc45b0e31b01dc07e3a2e599f478f

Score

10^/10

cobaltstrike backdoor evasion themida trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://106.12.99.85:80/qu6A

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Targets

- Target
  
  080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a
- Size
  
  3MB
- MD5
  
  b35f113ac3f89dc786064a81431ca438
- SHA1
  
  bd876ac81afbceaf4d4fc17e99c4f7012a92d4a4
- SHA256
  
  080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a
- SHA512
  
  1ec646e25c6d3242cb27e6b1c0d000e0dacdd2e927d7ae4422065f8905662f55ef9286eda7e9719fb083854fae87325dc0e3a4313ac800d2142fcfdd707dd822
Score

10^/10

cobaltstrike backdoor evasion trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Virtualization/Sandbox Evasion

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

cobaltstrikebackdoorevasiontrojan

behavioral2

cobaltstrikebackdoorevasiontrojan