Overview

overview

10

Static

static

中国电æ...¡¨.exe

windows7_x64

10

中国电æ...¡¨.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.rar

  • Size

    209KB

  • Sample

    220706-ehb63aadf5

  • MD5

    034cccac393b24e82854733228cbf445

  • SHA1

    e01bb8d6c9edab7a40d808e0cc0a77f6698917b8

  • SHA256

    e64165bd9e0c0a723e5a35dcca942c0b83a3c44941279bbf8c93c34a4a924401

  • SHA512

    57cafda4568fc84ef888c916ce4c02ba77107c01a5e74a60b8e8450ddce4c53b5b95d67c3bd1849d296290840938212b98cd2d4c6fc192361f81c13e4f5ac0af

Score
10/10
cobaltstrikemetasploitbackdoorsuricatatrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://42.194.199.231:443/9ws9

Targets

    • Target

      中国电机工程学会-2022年度新型电力系统创新奖申报表.exe.vir

    • Size

      515KB

    • MD5

      0299feffabdd3815d2249a5643203e3f

    • SHA1

      bdba33cf063fada308e401ab34980c62bc7dacbc

    • SHA256

      ed220a4ab4a9de44a5d1cd380be9dab98e90f820003e38bff4163ff4c881ea30

    • SHA512

      8ff00b998c386bfe96da6c7dce2c1e5cae6b671c0ebcef0d7da7a8f3fd9150af76587c11a3771f4c8e8b3f7301a642691a2d7cf99cc4bac1f052b8486826125d

    Score
    10/10
    cobaltstrikemetasploitbackdoorsuricatatrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • suricata: ET MALWARE Cobalt Strike Beacon Observed

      suricata: ET MALWARE Cobalt Strike Beacon Observed

      suricata

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata

    • suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

      suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

      suricata

    • suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

      suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

      suricata

    • suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)

      suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks