cobaltstrike | be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141

Analysis

max time kernel
35s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 13:35

Target

be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
Size

144KB
MD5

c404859150b29d1074d511b435098ff3
SHA1

221260c4c12f810768f795bb3ccb1431f45583a2
SHA256

be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141
SHA512

6cda78e86fbcbc1ee7e84576f5f130cb4c10031b97e4f39a5c989da7039cd5fc9165d5107d6c71079d672a03c2b2648439346c8c46097db8cc5ba61f9dbad09a
SSDEEP

3072:s0IYwk7xA1hBO7bvZreljmHITlbbxHZyVnVpaJ0opb+g9H:nIYwkdV7bBreRdBbbiRam++yH

Score

10^/10

Family

pony

http://74.53.97.66:8080/forum/viewtopic.php

http://74.53.97.67:8080/forum/viewtopic.php

Attributes

payload_url
http://boletin.puntoimpresion.com/Qnrnh53B.exe
http://www.vivaidiportanova.it/55V7.exe
http://www.urbyagri.es/s56k5.exe
http://etradi.webgenshop.nl/xWP.exe

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe

description	pid	process	target process
PID 1348 wrote to memory of 1560	1348	be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe	be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
PID 1348 wrote to memory of 1560	1348	be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe	be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
PID 1348 wrote to memory of 1560	1348	be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe	be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
PID 1348 wrote to memory of 1560	1348	be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe	be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe

C:\Users\Admin\AppData\Local\Temp\be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
"C:\Users\Admin\AppData\Local\Temp\be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe
"C:\Users\Admin\AppData\Local\Temp\be066a26daf68e43deddd23a33c5ef641be66b543c60552c939d4250c2e56141.exe"
2⤵
PID:1560

memory/1348-54-0x0000000000FF0000-0x000000000101F000-memory.dmp

Filesize
188KB

Download
memory/1348-55-0x0000000000FF0000-0x000000000101F000-memory.dmp

Filesize
188KB

Download