Overview

overview

10

Static

static

20220119_T...ts.lnk

windows7-x64

3

20220119_T...ts.lnk

windows10-2004-x64

10

20220119_T...io.dll

windows7-x64

1

20220119_T...io.dll

windows10-2004-x64

3

20220119_T...z2.dll

windows7-x64

1

20220119_T...z2.dll

windows10-2004-x64

3

20220119_T...es.dll

windows7-x64

1

20220119_T...es.dll

windows10-2004-x64

3

20220119_T...al.dll

windows7-x64

1

20220119_T...al.dll

windows10-2004-x64

3

20220119_T...ee.dll

windows7-x64

1

20220119_T...ee.dll

windows10-2004-x64

3

20220119_T...ib.dll

windows7-x64

1

20220119_T...ib.dll

windows10-2004-x64

3

20220119_T...ma.dll

windows7-x64

1

20220119_T...ma.dll

windows10-2004-x64

20220119_T...si.dll

windows7-x64

1

20220119_T...si.dll

windows10-2004-x64

3

20220119_T...ng.dll

windows7-x64

1

20220119_T...ng.dll

windows10-2004-x64

3

20220119_T...ed.dll

windows7-x64

1

20220119_T...ed.dll

windows10-2004-x64

3

20220119_T...ue.dll

windows7-x64

1

20220119_T...ue.dll

windows10-2004-x64

3

20220119_T...e3.dll

windows7-x64

1

20220119_T...e3.dll

windows10-2004-x64

3

20220119_T...sl.dll

windows7-x64

1

20220119_T...sl.dll

windows10-2004-x64

1

20220119_T...id.dll

windows7-x64

1

20220119_T...id.dll

windows10-2004-x64

3

20220119_T...fo.dll

windows7-x64

1

20220119_T...fo.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20220119_TA580.zip

  • Size

    8.1MB

  • Sample

    230119-tmdm1sdd9w

  • MD5

    889f014acdbf68d13e7b2ee7d902a382

  • SHA1

    ff53824ead3d442236e91f21fdc0261b17c34fa8

  • SHA256

    b76ba3d165ad8317f3020420db458edbe9165a99e726527a151d39019c533711

  • SHA512

    ad5804f905e132490d91f787a8b4d0ba900e75185c3d643febe7d1bbf85fc41e29ffd9e8222695cdd058c58629431291de6c6fba1f1fc2ce97e8a7d34263661f

  • SSDEEP

    196608:j4LeBJ1AA5E8I2PG0dC4Vu8af+ng7Pu8DWkmtGKmTVSWM:ML81AA5E8lPG0c4orf+neR2ZmE/

Score
10/10
cobaltstrikemimikatz1580103814backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103814

C2

http://95.168.191.223:443/r-arrow

http://45.11.19.22:443/ku
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    95.168.191.223,/r-arrow,45.11.19.22,/ku

  • http_header1

    AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAABwAAAAAAAAANAAAAAwAAAAIAAAAQbWFkZV93cml0ZV9jb25uPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAANAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    10496

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGR0Qh3y+EUBYe3BK7qolMM8JPwPWG3qSISL7jSnjkuexL5sMHLtzoO5zoQBy+e4TrkofBD2/CsND498lUEN11cFR9Kw1NFw6DnLSlodbOZoq4yAd4rqFrAU7pQXMn+TDas8ZyiZ1Gk0sb29Z3S9pi2fsZj2g4ZLC8cpJipJJRmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.025605888e+09

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /link

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246

  • watermark

    1580103814

Targets

    • Target

      20220119_TA580/Requirements.lnk

    • Size

      1KB

    • MD5

      2157d05171e0a32c30a8c8350d25335a

    • SHA1

      3af6b7bcd388b88d71ae09789b18a7a01e23b14b

    • SHA256

      6e37e051433faa97a381fc8d8a51e8d0a5384d2fc7abc3dcf727d036bc196a74

    • SHA512

      80585b023390d8adbb199e054cc1bfbf82b59c68965b1549f95ae45f33eb1b7f22fa448ff9ed134d6fb04d965216f4a884ed63a6bdbe743c7f5e5233e3b46e5d

    Score
    10/10
    cobaltstrikemimikatz1580103814backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

      mimikatz

    • mimikatz is an open source tool to dump credentials on Windows

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      20220119_TA580/project/_asyncio.pyd

    • Size

      62KB

    • MD5

      4ab3a456c59f6aed0d147c31fab59604

    • SHA1

      36cf52fce6accb5896e9b9d0cdda816f870347d3

    • SHA256

      97ed94f8d35445573177ba75e17dcf4c667e3c236c0b4d436fa97f8c862cc0bd

    • SHA512

      31b48c7891aee3fb1600f4d29b6bbbb138f8b561bd252b233b69054536c6118225cb9711fa56a0d11a619968c7befc11ec9b31936a346dfd795515934ca8e00f

    • SSDEEP

      1536:9vV7Wh3eT4k53MR4mj6YFro9I45n4N7Sy1Px:9v5WhuJ5MR4mj6qo9I45nO/x

    Score
    3/10
    behavioral3behavioral4

    • Target

      20220119_TA580/project/_bz2.pyd

    • Size

      81KB

    • MD5

      23dce6cd4be213f8374bf52e67a15c91

    • SHA1

      dfc1139d702475904326cb60699fec09de645009

    • SHA256

      190ade9f09be287fcc5328a6a497921f164c5c67e6d4fcdcb8b8fd6853b06fe2

    • SHA512

      c3983e2af9333a8538f68f7048b83c1bb32219c13adac26fd1036c3dc54394a3e2c1e4c0219232badd8e2c95418019b9b22906bdb23a19601447573a93c038a0

    • SSDEEP

      1536:LsRz7qldca26V6bw3haLRFcja8Ed7jjWHCFI4tV87SyzPxA:YRzGgohaQ9Ed7jjWiFI4tV81xA

    Score
    3/10
    behavioral5behavioral6

    • Target

      20220119_TA580/project/_ctypes.pyd

    • Size

      120KB

    • MD5

      2abeebe2166921a4d8b67b8f8a2b878a

    • SHA1

      21f0fff00cba76a0ea471c3e05179e4b4cc1ebd0

    • SHA256

      7adcea3a5568752a6050610cfbe791a4f8186aaaa002f916b88560a1ddab580f

    • SHA512

      54c802d532c9ef9f3668d5e9bf23b69a58f87ec545af7fd4eab1055bfb8ee66481f361458076a364a17ddddd6550a70f5442c2bbe6562553472c0839346b1a35

    • SSDEEP

      3072:KKCJyJvjdYIih4Aa44kfrSS9cu08hwk/5I4QPnzx:KfsVSa4TfrSKL/

    Score
    3/10
    behavioral7behavioral8

    • Target

      20220119_TA580/project/_decimal.pyd

    • Size

      242KB

    • MD5

      b6acb44c2f580991df7b1358a0fc0b69

    • SHA1

      f2d3d2ce5439197637b02e8dd414f8e6dddb6678

    • SHA256

      2bab2833c24eb4e07fe082d291013eed000a5cfc22df49311c729e7a57fe632e

    • SHA512

      0e73b00db220794aa291b4e710ad7abbfb06a78fa63e1f313963472009f77a48d2ef9bca24d350bc2c94d2a14d3b676e9132ab79b33da5b09a3b90cceeb816b0

    • SSDEEP

      6144:Gs3pt2wLuP4XSNc2VR6qEv4B9qWMa3pLW1Ak7N4u1cn:N2wQ4XSRVR6t43a7eu1cn

    Score
    3/10
    behavioral10behavioral9

    • Target

      20220119_TA580/project/_elementtree.pyd

    • Size

      124KB

    • MD5

      23844dc840c287df4fdf3adf76a751f1

    • SHA1

      f8cfb71363288d15a4cd8c8a34007b5020da4322

    • SHA256

      0f35db36f3768bd096727c731aa76879650246d550c503af381cd96adee35258

    • SHA512

      4305e3910eea3f9c55877b2fc29330d35a4da04fe6b078564fa44b2abccfa051a0e9192339292e5516a878a43a89d1ede54d02717a1a41a2777b9abac1d17c72

    • SSDEEP

      3072:yyaTDrPxv8RwXQYk2wHC4YkTQNlyI/0O/0t/0S/0GRvnT24Z1I41f38xr:InPxv8SZk2wbnQaItWlzT24Z

    Score
    3/10
    behavioral11behavioral12

    • Target

      20220119_TA580/project/_hashlib.pyd

    • Size

      60KB

    • MD5

      477dd76dbb15bad8d77b978ea336f014

    • SHA1

      3ee56105b71c3676c2e4fdaeb7d561f68cf03b9e

    • SHA256

      23063b56aa067c3d4a79a873d4db113f6396f3e1fe0af4b12d95d240c4cf9969

    • SHA512

      3a97c0a860e3cf97ae53b1f75623c52dcad9b64b70d329511781058a3477bc9faea32c2b8dc4852e7a8c4b0a02c8e3d027cf27e91187069cb35fb4d78d4e73ef

    • SSDEEP

      1536:oxTlJFWaIKsZbdqzOgB1f9I45IX7SyMDPxok:CT36nZbdqzXf9I45IXsxj

    Score
    3/10
    behavioral13behavioral14

    • Target

      20220119_TA580/project/_lzma.pyd

    • Size

      154KB

    • MD5

      401eca12e2beb9c2fbf4a0d871c1c500

    • SHA1

      7cfc2f94ade6712dd993186041e54917a3dd15ae

    • SHA256

      5361824ddac7c84811b80834eca3acb5fe6d63bf506cf92baf5bd6c3786bf209

    • SHA512

      da6b63ba4e2e7886701ff2462c11dd989d8a3f2a2a64bb4f5eed7271b017d69e6cfe7347e3d515fdf615ec81d2bb58367bcc1533b8a5073edf9474a3759f6d7c

    • SSDEEP

      3072:sc+sMZ4drcsAF5FRm1YznfI9mNoxapHVZKeFI4e1QGxK:r+sMAIt5dwYOxatKeV

    Score
    1/10
    behavioral15behavioral16

    • Target

      20220119_TA580/project/_msi.pyd

    • Size

      42KB

    • MD5

      ac20e4b6d498b445008ded2095964d5e

    • SHA1

      1b87791eff7cb0a26c85efc9d7c5b614136949d7

    • SHA256

      4fe82284a550f67ed844a2ba052c63916d6c6c17b70c4d5e2fd7f6c4ac8a579f

    • SHA512

      b8c79e82d7efca62bddae7048b7ae5e58de0fc35131a60c546cb30137459b927f47c6e48b05cafdb066e2def0ac5c228461e999f6170c805d3b893c5c34e9775

    • SSDEEP

      768:V9d5be68BVornXkfPxoUAIZdeoLuM3uJYVXtogyQbFI4tGQCvYiSyvLPxWEe:X/qtornXkfpuiVmgySFI4tGQCv7SyjPx

    Score
    3/10
    behavioral17behavioral18

    • Target

      20220119_TA580/project/_multiprocessing.pyd

    • Size

      32KB

    • MD5

      d9f27a0d595c8b044f78e7bb25fd107a

    • SHA1

      443badbdb08af2fdae772a9c1247bbd3d8512ddf

    • SHA256

      b28e94b921d5d539cbd5f97ff4926e4f186791af1b364de7be7fcce3970172f7

    • SHA512

      a4969ee0e56d20313ab3b9391b8f9796fa091969fcc0ffe4ec188f0d710d45a6c9cf388e0f2336540128afb81d6260dacc180606eeb05429fecc30b5295b46c9

    • SSDEEP

      768:aHI6RwgJ5xeyg2edhnJ8tI4Rt+8YiSyvDPxWEe3:iIoJ5Uyg2edhJ8tI4Rt+87Sy7Pxw

    Score
    3/10
    behavioral19behavioral20

    • Target

      20220119_TA580/project/_overlapped.pyd

    • Size

      47KB

    • MD5

      04f8440ff4724eb61a35ac13f3643ae9

    • SHA1

      ca0f01c4cff9cf2433326d407d143278940346b9

    • SHA256

      370b4ad06881c3cb781be0f78476eaeb5e440c60498f5791c3d413860fdc9b5e

    • SHA512

      b575ddc7804ddb634077cece18dc4ec83d7c7e1d0de913abada64b2666f77bd413b4494aa96a172a0b0897695e2772edc72bcb549c314317e613f37510c88e38

    • SSDEEP

      768:Wy4KxRzX8sGAQRxcSVNdQwBlLXTSVsGxI4st7YiSyv9fgmPxWEZO:eKxYNDnSVsGxI4st77SylfpPxO

    Score
    3/10
    behavioral21behavioral22

    • Target

      20220119_TA580/project/_queue.pyd

    • Size

      29KB

    • MD5

      8eabd51d536276f3b3257ee975e50bfc

    • SHA1

      1a13f707b29b895647a7de254031a6c80eb2cb7a

    • SHA256

      24c23d04d274a4c1234f1a1a35b1805e1f17f99968f8baeec0c3b5295f05608a

    • SHA512

      cfa027a1e01204078ccab3c2e1910e5806e0294d3ff0225d4713ea3b16cf07589005a0cc342688c3bb0bb6aa31b5401760c3890d46b39038b046072ad7b02b81

    • SSDEEP

      768:Lez/DFB6r3GkrAIe5I47UYYiSyvN0PxWEZokD:LeDK3GkrAIe5I47UY7SyWPxnD

    Score
    3/10
    behavioral23behavioral24

    • Target

      20220119_TA580/project/_sqlite3.pyd

    • Size

      95KB

    • MD5

      3250302acbe9f7cbababf13ea87a4af7

    • SHA1

      8abcfbaa91c36b17debcd592dca65b4fab8a7501

    • SHA256

      54c5c66e26bcdb9badde9c241104d59ebf57420d9cfcf72ab1737fa1a8f87bce

    • SHA512

      2c8cc53a172ca527db2b16315bbabe15ce987531cb59806eefa9f163a65020d85125975bf726533b6db0286464678a296d11c4eee944a89c38a0f49c61b70d55

    • SSDEEP

      1536:KzgM+YDOyvuPwYXGqijQa4rlIaiN9NbTm9c4L7ZZkyD9I45QIm7SyrPxF:xtYCDPSQa4rlIdDbWc2tZkyD9I45QImd

    Score
    3/10
    behavioral25behavioral26

    • Target

      20220119_TA580/project/_ssl.pyd

    • Size

      155KB

    • MD5

      dcb25c920292192dd89821526c09a806

    • SHA1

      79c9af3a11b41d94728f274b45a7c61dc8bbf267

    • SHA256

      4e496cb3b89550cf5883d0b52f5f4660524969c7a5fa35a3b233df4f482d0482

    • SHA512

      ae4ed1a66eef0b0c474c6ee498cd1388ef41f3746905257c7f5c0f73abbe3262eb47bb5748d47d55f1bd376308335a089c2b4c15ffe5d7fc21f2a660a4a93ba4

    • SSDEEP

      3072:VOoLGtbSpE3z/J/PUE9u/85J2oEPwu3rE923+nuI5Piev9muFI4t761xu:VOoitbSpE3zhHPu/mE8nuaF9mud

    Score
    1/10
    behavioral27behavioral28

    • Target

      20220119_TA580/project/_uuid.pyd

    • Size

      23KB

    • MD5

      e061dc788fd6d81e08cec63f08ee882b

    • SHA1

      a68a40d26ee2d64c6bc47f5b4ae8ed6508ec7ba4

    • SHA256

      e650244ff050dffadd9eb2b4462ec1f28bc2c9d6e090e05b2e8b0d9451712ff3

    • SHA512

      e8bb2f44fd633d6315a77ddfed8dc69d4ccfd45f22062ddeab007b95c8210a3e3fa7831b16dc5e6b4ba58c1934e4d15ea0ba0a48448da487dea81ff3fa04f312

    • SSDEEP

      384:McfwFpEW2U6TfQFI4ew3iIYiSy1pCQ12hPxh8E9VF0Ny1RC:McqpEZ7jQFI4ewfYiSyvEhPxWEf

    Score
    3/10
    behavioral29behavioral30

    • Target

      20220119_TA580/project/_zoneinfo.pyd

    • Size

      42KB

    • MD5

      e4c4a639cfb3d082b2fdb44ce08c1be3

    • SHA1

      33fc3cc2db9ffc9e233aca5bc9290a69d138781f

    • SHA256

      4333fc3595ea1ea48c5a983f8b60a64c192f39e5a0be2c7acd0033467269556d

    • SHA512

      ef31ef93b73de02821751274f1a401710ef04c589cbb92d94ec0a3a5da5175e83c26bc12c367f0548583cf026cdce0e7ce3d33d7c4b3016e90beb42810f39bf0

    • SSDEEP

      768:y8FQjWzWQt6XMuG7mM+FrRQOLb0CjyLstQ9t9I4CXbYiSyvpPxWEf:y84SqMt6MSrRQOLb0CuLstQH9I4CXb7V

    Score
    3/10
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

Score
N/A

behavioral1

Score
3/10

behavioral2

cobaltstrikemimikatz1580103814backdoortrojan
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
3/10

behavioral5

Score
1/10

behavioral6

Score
3/10

behavioral7

Score
1/10

behavioral8

Score
3/10

behavioral9

Score
1/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

Score
3/10

behavioral13

Score
1/10

behavioral14

Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
3/10

behavioral19

Score
1/10

behavioral20

Score
3/10

behavioral21

Score
1/10

behavioral22

Score
3/10

behavioral23

Score
1/10

behavioral24

Score
3/10

behavioral25

Score
1/10

behavioral26

Score
3/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
3/10

behavioral31

Score
1/10

behavioral32

Score
3/10