Overview

overview

10

Static

static

1

tianqin.dll

windows10-1703-x64

10

tianqin.dll

windows7-x64

10

tianqin.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tianqin.cpl

  • Size

    114KB

  • Sample

    230221-evc9wsdf39

  • MD5

    76616710538d3a565c768c51d5a55abc

  • SHA1

    1e92575313409eaf847a966ef1d3f001fb4631df

  • SHA256

    8b960c45753593ef4f320a402c20424ab6fe775c163b65d7c03fb89f89378094

  • SHA512

    718cd5bff0e72dc964d870d9c47d13ef55739345b3d450222a49c435bd0fb5df45a1ca1025ca827faf5e6e0b0e9e590229b4bce6aeaa620e23756827db17c2e4

  • SSDEEP

    3072:3XfxrOJuHUIxeyVegFT2FkzDOxfCmPn7:nfRlUItt/CxqO

Score
10/10
cobaltstrikemetasploit305419896backdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://info.bookworld-langchao.work:2096/FpaE

http://:2096/FpaE

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://info.bookworld-langchao.work:2096/jquery.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    info.bookworld-langchao.work,/jquery.js

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALHNjaC1obHQ9cy0yNEtVMTFXQjgyUlpTWUdKM1dFUnwxNTI5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    5120

  • maxdns

    255

  • polling_time

    5000

  • port_number

    2096

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrZ4M1kDofy9bq2RX/5+t9xbZFdiF0uw8B92fNu6tPEldEJ/0BA7zeNUkN6EUHEX5kFGyRfUOjVxHKOnnHMTqckPQi9/ARmPX9w5ccQXuGoLD8BXWBCJh+PK7fLyXTeOQe448vqgE51IxqSY+WVj03d2pE+dLTiXixqlOZ0ykrdQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N5632/sadj/display.js

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

  • watermark

    305419896

Targets

    • Target

      tianqin.cpl

    • Size

      114KB

    • MD5

      76616710538d3a565c768c51d5a55abc

    • SHA1

      1e92575313409eaf847a966ef1d3f001fb4631df

    • SHA256

      8b960c45753593ef4f320a402c20424ab6fe775c163b65d7c03fb89f89378094

    • SHA512

      718cd5bff0e72dc964d870d9c47d13ef55739345b3d450222a49c435bd0fb5df45a1ca1025ca827faf5e6e0b0e9e590229b4bce6aeaa620e23756827db17c2e4

    • SSDEEP

      3072:3XfxrOJuHUIxeyVegFT2FkzDOxfCmPn7:nfRlUItt/CxqO

    Score
    10/10
    cobaltstrikemetasploit305419896backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Blocklisted process makes network request

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix

Tasks