Overview

overview

10

Static

static

bc9fa38f45...db.exe

windows7-x64

10

bc9fa38f45...db.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bc9fa38f45390aec217a6ae2b9c9301bae374802cd59a911632b1e279bd695db

  • Size

    567KB

  • Sample

    230109-q776kshh3z

  • MD5

    5ae56c43d08e87eff8b1e1e63b9d1bfa

  • SHA1

    697f7b5a49093968e1dbe81af55b785fea11eb79

  • SHA256

    bc9fa38f45390aec217a6ae2b9c9301bae374802cd59a911632b1e279bd695db

  • SHA512

    fceb23d1e337c644f44c7336f461cf1ec11e90f6e00071e3dba7d4821ee18d39c0885d274c2acc710f143cc886c7ae0f79f8950c642b138f10cda9010322fc91

  • SSDEEP

    12288:PLLTaLwPzp0qbF5AnyLarFrSfaKhCNL9OTg20RwfMC+vcdfsmA:zLEwLpf5Ay6FFmCNoE7qM/5mA

Score
10/10
cobaltstrike1359593325backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://101.72.205.199:443/config

http://112.25.18.136:443/admin

http://114.80.187.84:443/config

http://118.123.241.206:443/admin

http://121.207.229.136:443/config

http://122.156.134.217:443/admin

http://124.236.20.140:443/admin

http://125.37.206.217:443/login

http://125.76.247.218:443/config

http://140.249.60.232:443/config

http://14.29.40.5:443/admin
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    101.72.205.199,/config,112.25.18.136,/admin,114.80.187.84,/config,118.123.241.206,/admin,121.207.229.136,/config,122.156.134.217,/admin,124.236.20.140,/admin,125.37.206.217,/login,125.76.247.218,/config,140.249.60.232,/config,14.29.40.5,/admin

  • http_header1

    AAAAEAAAABpIb3N0OiBkb3RuZXQubWljcm9zb2Z0LmNvbQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAANAAAAAQAAAAQucGhwAAAABQAAAARmaWxlAAAACQAAAAt0ZXN0MT10ZXN0MgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABpIb3N0OiBkb3RuZXQubWljcm9zb2Z0LmNvbQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAE0FjY2VwdC1MYW5ndWFnZTogZW4AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAEAAAANAAAABQAAAAl0ZXN0UGFyYW0AAAAHAAAAAAAAAA0AAAAFAAAAAmlkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    GET

  • jitter

    8448

  • polling_time

    6000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpH5tXh4A0mRni/kTkjrCqjm6TNby6PG7Vr1bz6tPF2m85Rz97bnKJnRywQHVDzZ3G+/cjezuR/vr2lyMnk/rNcaof60SA86V2IKsopwEEJcejBmg3X8hKn2qVDg8E/roFcG8WeL2dO55uNt9/3rKTwxYkDXh8yextoFEe2RGHcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    9.06174464e+08

  • unknown2

    AAAABAAAAAEAAAAIAAAAAQAAAAgAAAABAAAACgAAAAEAAAAGAAAAAQAAAAsAAAABAAAAIQAAAAEAAABFAAAAAQAAADcAAAABAAAAQwAAAAEAAAAbAAAAAQAAAA8AAAABAAAAGQAAAAEAAAAgAAAAAQAAAEgAAAACAAAAEAAAAAIAAAARAAAAAgAAAAsAAAACAAAAHwAAAAIAAABQAAAAAgAAADwAAAACAAAANgAAAAIAAABFAAAAAgAAACYAAAACAAAACAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    1.610612736e+09

  • uri

    /Admin

  • user_agent

    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36

  • watermark

    1359593325

Targets

    • Target

      bc9fa38f45390aec217a6ae2b9c9301bae374802cd59a911632b1e279bd695db

    • Size

      567KB

    • MD5

      5ae56c43d08e87eff8b1e1e63b9d1bfa

    • SHA1

      697f7b5a49093968e1dbe81af55b785fea11eb79

    • SHA256

      bc9fa38f45390aec217a6ae2b9c9301bae374802cd59a911632b1e279bd695db

    • SHA512

      fceb23d1e337c644f44c7336f461cf1ec11e90f6e00071e3dba7d4821ee18d39c0885d274c2acc710f143cc886c7ae0f79f8950c642b138f10cda9010322fc91

    • SSDEEP

      12288:PLLTaLwPzp0qbF5AnyLarFrSfaKhCNL9OTg20RwfMC+vcdfsmA:zLEwLpf5Ay6FFmCNoE7qM/5mA

    Score
    10/10
    cobaltstrike1359593325backdoortrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks