Malware sandboxing report by Hatching Triage

Target

beacon.exe

Size

14KB

Sample

220331-rjdgqshbfm

Score

10^/10

MD5

2d0e28316e3f60de63654609f3a1b297

SHA1

99e64215ea6f3027dc1928ac26443953c8f5294d

SHA256

8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8

SHA512

481bd8ff670f2e637d4678e37927e2c76d7dd35a6034ced40b5b62c60d082951740874fc58743002c61d5cebfaec508f983c3dd7cddad8ed711d97e9ae12d713

Extracted

Family	cobaltstrike
C2	http://qb.awotj.com:80/pacom003/ST/CSo0w1j8/d/2376/lo2c.htm http://qb.awotj.com:80/pacom003/ST/CSo0w1j8/d/2376/lo2c.htm
Attributes	user_agent Accept: / Connection: Keep-Alive Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177 Host: qb.awotj.com

Extracted

Family	cobaltstrike
Botnet	1
C2	http://qb.awotj.com:80/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d http://qb.awotj.com:80/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d
Attributes	access_type 512 host qb.awotj.com,/pacom003/_layouts/Wopi/01554532-64bc-45ee-9645-512577ae642d http_header1 AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAOc2Vzc2lvbi10b2tlbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= http_header2 AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAXQ29udGVudC1UeXBlOiBpbWFnZS9wbmcAAAAJAAAADW9lPUlTTy04ODU5LTEAAAAHAAAAAAAAAAUAAAACc24AAAAJAAAABnM9MTEyNAAAAAkAAAAmZF9yZWZlcmVyPWh0dHAlM0ElMkYlMkZiYW5rLnBpbmdhbi5jb20AAAAHAAAAAQAAAAMAAAACAAAABIlQTkcAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= http_method1 GET http_method2 POST jitter 7680 polling_time 5500 port_number 80 sc_process32 %windir%\syswow64\w32tm.exe sc_process64 %windir%\sysnative\w32tm.exe state_machine MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRpwp8UKDSrLYmg1T8qsKaBTiSXmGzJsxjfT1zSQAP4VsmBXHqnwIcuUrjaAfl0yFmxYlo2kUpHgGryMxFXKaFfanzRs+TOYzHMW1p5kwzLgwsHY7GPfVUG1mVTpq3WIFkQ6ltcRC79FXrjKSlcQbTMZXNg/aQ3C9F0HAZzpNnBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== unknown1 1.515525376e+09 unknown2 AAAABAAAAAIAAAAEAAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== uri /pacom003/person/ithelp/bug/list user_agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177 watermark 1

Target

beacon.exe

MD5

2d0e28316e3f60de63654609f3a1b297

Filesize

14KB

Score

10^/10

SHA1

99e64215ea6f3027dc1928ac26443953c8f5294d

SHA256

8c8b4cd6f149a3b9cfaeb11f49d8748233731be028b8e9ad9b3f8d0c3987cfc8

SHA512

481bd8ff670f2e637d4678e37927e2c76d7dd35a6034ced40b5b62c60d082951740874fc58743002c61d5cebfaec508f983c3dd7cddad8ed711d97e9ae12d713

Signatures

Cobaltstrike
Description

Detected malicious payload which is part of Cobaltstrike.
Tags

trojan backdoor cobaltstrike
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
Description

suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
Tags

suricata
Blocklisted process makes network request
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

Score

N/A

behavioral1

cobaltstrike 1 backdoor suricata trojan

Score

10^/10

behavioral2

cobaltstrike 1 backdoor suricata trojan

Score

10^/10

Extracted

Extracted

Tags

Signatures

Cobaltstrike

Description

Tags

suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1

Description

Tags

Blocklisted process makes network request

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2