Overview

overview

10

Static

static

3

0ed71442bc...5f.exe

windows7-x64

7

0ed71442bc...5f.exe

windows10-2004-x64

10

Resubmissions

22-08-2022 12:38

220822-pvkdbaagf4 10

22-08-2022 08:14

220822-j42q3adbel 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0ed71442bc6234d6ffd671a83a55be74b41edfda62cbc41d4b2ce20d091fa65f

  • Size

    6.6MB

  • Sample

    220822-j42q3adbel

  • MD5

    f0a8b08e7efe3166b7842b3d70cd5b09

  • SHA1

    87c3249b8080892534c257ac7810b157b8ac36c9

  • SHA256

    0ed71442bc6234d6ffd671a83a55be74b41edfda62cbc41d4b2ce20d091fa65f

  • SHA512

    f6199d14163780b379718ddbf0530caf559a20e50b32e2ca93ced139f7a2f465ad23f9ea54e1e864dea1894a395fef663710531b432fc1c31df66e4a3575fee7

  • SSDEEP

    98304:NAmaOgoxAT4HQktlw2Kce26t+JhVWn2xxjsDjw2aRC1dIzsJosp03zQyRNNKkNA4:NSVhM3tlKXqXWnAb2aR8IzlspOPNGG

Score
10/10
cobaltstrike1backdoorpyinstallertrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://www.360safe.tk:2083/download/jquery-3.3.4.min.js/3

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    www.360safe.tk,/download/jquery-3.3.4.min.js/3

  • http_header1

    AAAAEAAAABRIb3N0OiB3d3cuMzYwc2FmZS50awAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABRIb3N0OiB3d3cuMzYwc2FmZS50awAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAoAAABHQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    2083

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEdU7+K73SZRVCCcVKH30HCHZT5JuPpN6l/b0KLieRDIrUtB0Zw1Qau0lCyV25NbwC3daWMzstvpCTcj6Ki8B/v1nb06IQ3Y/9yUtdMMz8TNrldVMvvpb3+5zr9wI3hHAcxnhw6iGAMmROhHehuPxF+8hVf8jeAAQLuHx8W6t5TwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    2.702512128e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /download/jquery-3.3.4.min.js/4

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36

  • watermark

    1

Targets

    • Target

      0ed71442bc6234d6ffd671a83a55be74b41edfda62cbc41d4b2ce20d091fa65f

    • Size

      6.6MB

    • MD5

      f0a8b08e7efe3166b7842b3d70cd5b09

    • SHA1

      87c3249b8080892534c257ac7810b157b8ac36c9

    • SHA256

      0ed71442bc6234d6ffd671a83a55be74b41edfda62cbc41d4b2ce20d091fa65f

    • SHA512

      f6199d14163780b379718ddbf0530caf559a20e50b32e2ca93ced139f7a2f465ad23f9ea54e1e864dea1894a395fef663710531b432fc1c31df66e4a3575fee7

    • SSDEEP

      98304:NAmaOgoxAT4HQktlw2Kce26t+JhVWn2xxjsDjw2aRC1dIzsJosp03zQyRNNKkNA4:NSVhM3tlKXqXWnAb2aR8IzlspOPNGG

    Score
    10/10
    cobaltstrike1backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks