Overview

overview

10

Static

static

420088c49c...16.exe

windows7_x64

10

420088c49c...16.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    420088c49ca30f9330dbae99c7f54d3e5598f266cdfdb20f520f09e292e45c16

  • Size

    861KB

  • Sample

    220704-gtspasehel

  • MD5

    f3d0646fa771df9555d51dc6f6334f5e

  • SHA1

    ef5e02686b76ab6d98b3ef459680444740a4e459

  • SHA256

    420088c49ca30f9330dbae99c7f54d3e5598f266cdfdb20f520f09e292e45c16

  • SHA512

    2c5612af31057c8b44e403030d589df8e4fa21660cb772c749521e725991832a2b3ac9dfaebd4355e7d503e70c3bf4715936727b693503c5bbfb25007125aaf6

Score
10/10
cobaltstrikemetasploit999999backdoorsuricatatrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://www.sgcc-cdn.tk:8443//jquery-3.3.1.slim.min.js

Extracted

Family

cobaltstrike

Botnet

999999

C2

http://www.sgcc-cdn.tk:8443//jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    www.sgcc-cdn.tk,//jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    45000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0JYdyFmKJo8a7JIDeBqIa0rgiNHYLFi9Fhdl13fzbNIMhewqUnrnFHlpBgFvQViuE+zA/ltAAtQX7ZzDhalQKs0y1zS1NZwK1gSiz8R1d+TEKdjStpOzbd+U1mbS1Ep3/liiQ6JP4jlXjJOt9yoItHtc5JocvYCCIqWzmBcHIfQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    //jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36

  • watermark

    999999

Targets

    • Target

      420088c49ca30f9330dbae99c7f54d3e5598f266cdfdb20f520f09e292e45c16

    • Size

      861KB

    • MD5

      f3d0646fa771df9555d51dc6f6334f5e

    • SHA1

      ef5e02686b76ab6d98b3ef459680444740a4e459

    • SHA256

      420088c49ca30f9330dbae99c7f54d3e5598f266cdfdb20f520f09e292e45c16

    • SHA512

      2c5612af31057c8b44e403030d589df8e4fa21660cb772c749521e725991832a2b3ac9dfaebd4355e7d503e70c3bf4715936727b693503c5bbfb25007125aaf6

    Score
    10/10
    cobaltstrikemetasploit999999backdoorsuricatatrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

      suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response

      suricata

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata

    • suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

      suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

      suricata

    • suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)

      suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)

      suricata

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks