blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
143s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbc0718c3c45ed4311aec5f83572b7b92d364ab4d16bc43582e781843bdef099.exe
Size

430KB
MD5

f380f09609171148b842223b439aad4c
SHA1

1cb9344fdbe5bc4830adb3fe36f71e0be3a5121f
SHA256

cbc0718c3c45ed4311aec5f83572b7b92d364ab4d16bc43582e781843bdef099
SHA512

abd83d2ee893f3a4bd05d76a2a73d7b01609bf3d5a415e29e93822d7ee0ff46c8844a642700121b852803458f3ced247233577072a4d8c2a377aec66b4879d86
SSDEEP

12288:dsOol4Xi9tQjNFrQ2RHJ2s843DdtCDVVscEfMDJ8t3+392Exh:dyxQjHHJ2s5BtYVnEfYM3eEExh

Score

10^/10

blister cobaltstrike 1580103824 backdoor loader trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103824

http://clippershipintl.com:443/safebrowsing/sj0IWAb/YhcZADXFB3NHbxFtKgpqBtK9BllJiGEL

Attributes

access_type
512
beacon_type
2048
host
clippershipintl.com,/safebrowsing/sj0IWAb/YhcZADXFB3NHbxFtKgpqBtK9BllJiGEL
http_header1
AAAAEAAAABlIb3N0OiBDbGlwcGVyU2hpcEludGwuY29tAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAcAAAAAAAAADQAAAAIAAAAOUkVGPUlEPU5ld3NYUWUAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABlIb3N0OiBDbGlwcGVyU2hpcEludGwuY29tAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAcAAAAAAAAADQAAAAIAAAAJVT1OZXdzWFFlAAAAAgAAAAdSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10240
polling_time
13000
port_number
443
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/safebrowsing/ngge/ouB3ZNRVgpN4hPOh0MEyV0gxkn0KKppxZqbFRay
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36 Edg/78.0.276.20
watermark
1580103824

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detect Blister loader x64 2 IoCs

loader

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\sppcommdlg_64\sppcommdlg.dll	family_blister_x64
behavioral31/memory/1844-56-0x000007FEF6CD0000-0x000007FEF6D72000-memory.dmp	family_blister_x64

Loads dropped DLL 1 IoCs

Processes:

cbc0718c3c45ed4311aec5f83572b7b92d364ab4d16bc43582e781843bdef099.exe

pid process

1844 cbc0718c3c45ed4311aec5f83572b7b92d364ab4d16bc43582e781843bdef099.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1844	cbc0718c3c45ed4311aec5f83572b7b92d364ab4d16bc43582e781843bdef099.exe

C:\Users\Admin\AppData\Local\Temp\cbc0718c3c45ed4311aec5f83572b7b92d364ab4d16bc43582e781843bdef099.exe
"C:\Users\Admin\AppData\Local\Temp\cbc0718c3c45ed4311aec5f83572b7b92d364ab4d16bc43582e781843bdef099.exe"
1⤵
- Loads dropped DLL
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sppcommdlg_64\sppcommdlg.dll

Filesize
633KB

MD5
229a758e232aeb49196c862655797e12

SHA1
73067102a6b37818f83121b9033087e291c667db

SHA256
49ba10b4264a68605d0b9ea7891b7078aeef4fa0a7b7831f2df6b600aae77776

SHA512
daf8f965e4f6f2b908c1dc104f4482412c6a972e58ee068774ca95f42a67ac5a91722909dd03b7101c0e4d5230befe6643c6d907d5170bf8321ab4960f3c0fae

Download Submit
memory/1844-54-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1844-56-0x000007FEF6CD0000-0x000007FEF6D72000-memory.dmp

Filesize
648KB

Download
memory/1844-58-0x0000000001ED0000-0x0000000001F31000-memory.dmp

Filesize
388KB

Download
memory/1844-59-0x0000000001D30000-0x0000000001D97000-memory.dmp

Filesize
412KB

Download
memory/1844-60-0x0000000001ED0000-0x0000000001F31000-memory.dmp

Filesize
388KB

Download
memory/1844-61-0x0000000001D30000-0x0000000001D97000-memory.dmp

Filesize
412KB

Download