cobaltstrike | 96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130

General

Target

96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
Size

152KB
MD5

bc516e2428b04e0e75230697d3dd87c0
SHA1

015f31469c48f269ca3c011833e87dbbcab6ee49
SHA256

96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130
SHA512

3cbed515238437058d1a7064f6a713b75c6cb09dc6f6033c32c084b78c227a0f1bae61e12a00414d636f9f38632cab783cd2ae0b48f33b84f2fe39575bd2e9be
SSDEEP

3072:vsM+xYtQ8CIcDO4ZTGv1RRy93nRd93eFTzZeSWijRN3CtGJ:ZRhCPO4ZTUAVVCzQdi9N3C

Score

10^/10

cobaltstrike pony backdoor collection discovery rat spyware stealer trojan

Malware Config

Extracted

Family

pony

C2

http://66.55.89.149:8080/forum/viewtopic.php

http://66.55.89.150:8080/forum/viewtopic.php

Attributes

payload_url
http://cikonungunlugu.com/CMw.exe
http://ftp.lastraautosport.com.ar/xjH.exe

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

description	pid	process	target process
PID 784 set thread context of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

description	pid	process
Token: SeImpersonatePrivilege	2028	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
Token: SeTcbPrivilege	2028	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
Token: SeChangeNotifyPrivilege	2028	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
Token: SeCreateTokenPrivilege	2028	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
Token: SeBackupPrivilege	2028	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
Token: SeRestorePrivilege	2028	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
Token: SeIncreaseQuotaPrivilege	2028	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
Token: SeAssignPrimaryTokenPrivilege	2028	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

description	pid	process	target process
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
PID 784 wrote to memory of 2028	784	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

outlook_win_path 1 IoCs

Processes:

96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe

C:\Users\Admin\AppData\Local\Temp\96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
"C:\Users\Admin\AppData\Local\Temp\96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe
"C:\Users\Admin\AppData\Local\Temp\96b6a2fd52420ce5603974686ac26fb00c6c008400f3837aa123fd05cc2ed130.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-54-0x0000000000E80000-0x0000000000EB2000-memory.dmp

Filesize
200KB

Download
memory/784-63-0x0000000000E80000-0x0000000000EB2000-memory.dmp

Filesize
200KB

Download
memory/2028-62-0x0000000000410329-mapping.dmp

Download
memory/2028-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2028-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2028-61-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2028-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2028-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2028-65-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/2028-66-0x0000000000E80000-0x0000000000EB2000-memory.dmp

Filesize
200KB

Download
memory/2028-67-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2028-68-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2028-69-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads