Overview

overview

10

Static

static

1

0a9f32d40f...62.exe

windows7-x64

1

0a9f32d40f...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a9f32d40fc1f0c6b93431e0ce76ff62.exe

  • Size

    218KB

  • MD5

    0a9f32d40fc1f0c6b93431e0ce76ff62

  • SHA1

    fe2c3c1a25e57f520c03817a40f0ca950b2a3a9f

  • SHA256

    5e6e9956ffee58bc7ac7d367f4bbbc145837404cda32214b95e568199c0218fe

  • SHA512

    124e39a8a738f592f3bf85e0e423cabe787bebb927126e2a698e157f248ee9866ce230313ad0d567021f1e54e0b45410c62f05df743d6011e5e5156465239951

  • SSDEEP

    6144:3EEgnYUdH/L8MBorobkk8MO20Fz36RNzxMCR:0+Udfposbkk8Q0Fz367xMCR

Score
10/10
cobaltstrike426352781backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://mail.shqianxinn.tk:2096/jqueryjs/jquery-3.3.2.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: mail.shqianxinn.tk Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/101.0.4951.67 Safari/537.

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://mail.shqianxinn.tk:2096/jqueryjs/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    mail.shqianxinn.tk,/jqueryjs/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAXSG9zdDogd3d3LnNocWlhbnhpbm4udGsAAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAXSG9zdDogd3d3LnNocWlhbnhpbm4udGsAAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA8AAAANAAAABQAAAAhfX2NmZHVpZAAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    14080

  • polling_time

    21710

  • port_number

    2096

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFpNlYWDh8JSplLhLhe7/rOMTPeqMHd6I+c+my9zIGFHogVunosmcA0uAQJodCcp6p0iy4KxogI5rUs7D1vIAllM3VVp8Ntr9obu2ijOdziDjtjxWW12b2GlP1qGg73+8PAmX0CAQi66F6axF9cVA44FmmpeHlUnoeUWQc8Cm1oQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jqueryjs/jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/101.0.4951.67 Safari/537.36

  • watermark

    426352781

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a9f32d40fc1f0c6b93431e0ce76ff62.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9f32d40fc1f0c6b93431e0ce76ff62.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1320-133-0x000001D8C5A50000-0x000001D8C5A52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1320-134-0x000001D8C62E0000-0x000001D8C6752000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/1320-135-0x000001D8C5EE0000-0x000001D8C6044000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1320-136-0x000001D8C62E0000-0x000001D8C6752000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/1320-137-0x000001D8C5EE0000-0x000001D8C6044000-memory.dmp
    Filesize

    1.4MB

    Download