General

  • Target

    f3d980b4d9443683b9e0aba0985deb670b8a6254f1e08def6f14f500527ef7dd

  • Size

    1.5MB

  • Sample

    220705-mmag2agcbl

  • MD5

    02300e90dfe69aabe04b5de7da35eea8

  • SHA1

    ba7ba184d95482c53204116adf14e3eb1e4d79e2

  • SHA256

    f3d980b4d9443683b9e0aba0985deb670b8a6254f1e08def6f14f500527ef7dd

  • SHA512

    12dc367898af4863c9423fb6982a7b58a76ae78ff84eaf401fead4292f96688e49a070367c0a196e495a8b30629fe796a406cab1651051dbb67fd8d34480d07c

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://124.223.216.170:9443/URjK

Targets

    • Target

      f3d980b4d9443683b9e0aba0985deb670b8a6254f1e08def6f14f500527ef7dd

    • Size

      1.5MB

    • MD5

      02300e90dfe69aabe04b5de7da35eea8

    • SHA1

      ba7ba184d95482c53204116adf14e3eb1e4d79e2

    • SHA256

      f3d980b4d9443683b9e0aba0985deb670b8a6254f1e08def6f14f500527ef7dd

    • SHA512

      12dc367898af4863c9423fb6982a7b58a76ae78ff84eaf401fead4292f96688e49a070367c0a196e495a8b30629fe796a406cab1651051dbb67fd8d34480d07c

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • suricata: ET MALWARE Cobalt Strike Beacon Observed

      suricata: ET MALWARE Cobalt Strike Beacon Observed

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

    • suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

      suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

    • suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

      suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

    • suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)

      suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks