cobaltstrike | cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 04:07

Target

cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe
Size

144KB
MD5

715232b95f71fb77c170bf0ed526f250
SHA1

2fd4c3f4c6988b4364a2d7f60b84ce182338ef29
SHA256

cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49
SHA512

c1be358f0e6720e85f38421acf1ef66b258b24daa07e5a2fde71204552136f043c314bd1be654d61120fd32916112f0eb7e92ecf18397a1105db8cd7d9152951
SSDEEP

3072:s0IYwk7xA1Ifra36ZbYNgLV3XJBbKuMHiJgpaJDK0rvox2qUQs:nIYwkdra3UbYuFPbUJavrEs

Score

10^/10

Family

pony

http://74.53.97.66:8080/forum/viewtopic.php

http://74.53.97.67:8080/forum/viewtopic.php

Attributes

payload_url
http://entdeckeschweden.de/awk4jNK.exe
http://clubevidaboa.com.br/Skkos.exe
http://iglesiasdeldiosviviente.org/f2peMF.exe

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe

description	pid	process	target process
PID 4988 wrote to memory of 3928	4988	cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe	cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe
PID 4988 wrote to memory of 3928	4988	cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe	cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe
PID 4988 wrote to memory of 3928	4988	cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe	cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe

C:\Users\Admin\AppData\Local\Temp\cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe
"C:\Users\Admin\AppData\Local\Temp\cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe
"C:\Users\Admin\AppData\Local\Temp\cad9eb5a91c9e7ba6582ca727173c48a77ae60939c8bfa875d6bc03bcce86e49.exe"
2⤵
PID:3928

memory/3928-133-0x0000000000000000-mapping.dmp

Download
memory/4988-132-0x0000000000A80000-0x0000000000AAF000-memory.dmp

Filesize
188KB

Download
memory/4988-134-0x0000000000A80000-0x0000000000AAF000-memory.dmp

Filesize
188KB

Download