Overview

overview

10

Static

static

3

24192519fe...d9.exe

windows7-x64

1

24192519fe...d9.exe

windows10-2004-x64

7

4da95447ef...97.exe

windows7-x64

1

4da95447ef...97.exe

windows10-2004-x64

3

7d9ee189fe...2b.exe

windows7-x64

1

7d9ee189fe...2b.exe

windows10-2004-x64

3

aa682ef8ad...47.exe

windows7-x64

7

aa682ef8ad...47.exe

windows10-2004-x64

10

df37a01547...a5.exe

windows7-x64

1

df37a01547...a5.exe

windows10-2004-x64

7

efe1804b12...e3.exe

windows7-x64

7

efe1804b12...e3.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Sample.rar

  • Size

    22.1MB

  • Sample

    230323-ngs8mahb91

  • MD5

    f4f6e3112f97d67605239c34bd18d139

  • SHA1

    1580e38b13b3f21ff9753183549c690c2678e9fe

  • SHA256

    bbf38b1880ee037302435376852431fa870f18b0fec8662a9d7739d1087381db

  • SHA512

    16fcd6591321865a95bfee02eb475da82773d91746ac755569bd396f36bb45e40dfea996422346039a85b963f983e317b5aab142a266884b06e8a2f369976ff3

  • SSDEEP

    393216:RbzCykUzkSGXGtY3pMDNPlotE6894Or9dnyk9yV1jww/KzOivwP96V:UfUcXVZMDNPlmE68ym9dys6mw/Gvu96V

Score
10/10
cobaltstrikebackdoorpyinstallertrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://47.113.200.178:80/yv95

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BO1IE8_v1;ENUS)

Targets

    • Target

      24192519fe48742134f892876e8754d9.exe.vir

    • Size

      1.0MB

    • MD5

      24192519fe48742134f892876e8754d9

    • SHA1

      cbe590d7c8682dad2d05c759df8afaf0a4b9e8a5

    • SHA256

      0516bfd184b5240a1c441d9035faf17272bdb01651ad4458b85c59e6c27988bc

    • SHA512

      01c4c300fa2d9747eed1aa8d489f1d95fbe70b9166e16b2117173c35dcaa64c8c1737b367ff8f117940b40383c883b4f52edb743ec97ac6049f737ad76440cf5

    • SSDEEP

      24576:75Ctn/z/eJUqr2RX5ICkmnhWmwHH3QJOLQs+U6k7xF:pxxF

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      4da95447ef335d683699e9ba3f352797.exe.vir

    • Size

      1.2MB

    • MD5

      4da95447ef335d683699e9ba3f352797

    • SHA1

      8e15f95f54e72f619859284f637dc8a5312aa2d7

    • SHA256

      de36087644980290e7ee80cadc86705230536ff8ad143542323086d5f0338d52

    • SHA512

      9cc91ba7ba111e48efab962e71f2e4f8f704fee707f5cebd89d07a4066b4e06aff031f62c38ca7d6cf44a3aeaef22f750b042b6f354dff3a631a971de4b106e0

    • SSDEEP

      24576:LIky4/3X2JcF2jYAF5e2O+f4GC0Nnve511GAsu0Y09OJH:84PYOz3fJ

    Score
    3/10
    behavioral3behavioral4

    • Target

      7d9ee189fe6bcd4d1dc07ba570684e2b.exe.vir

    • Size

      1.2MB

    • MD5

      7d9ee189fe6bcd4d1dc07ba570684e2b

    • SHA1

      6edf87ee5c05417cc6eff2959231120c3e1b6264

    • SHA256

      5d1faea42a7bbcb40b0b2375becedbd9cfe5fe11c5497a76282d059553682dd3

    • SHA512

      e7103b0804545be69a920015048853293904d289399fa0bb4509c63491a9968f4a225d944cc9b1453d4a4eb29d5184d7417a9f8ac2bd4f7ae9f6e4b8d38d0cba

    • SSDEEP

      24576:FIky4/3X2JcF2jYAF5e2O+f4GC0Nnve511GAsu0Y09OJ+:G4PYOz3fJ

    Score
    3/10
    behavioral5behavioral6

    • Target

      aa682ef8adea6576fcbdd35c69c7be47.exe.vir

    • Size

      15.2MB

    • MD5

      aa682ef8adea6576fcbdd35c69c7be47

    • SHA1

      36c772e7b51f2d77b7ba9215d191b1b01c7887be

    • SHA256

      76d973c062232bdb6b91edff08abe9c679ecca79f70f7b342f5ecd71f6211824

    • SHA512

      198a73090be9651cff508fedabdd9f2963405f9df6b36705141157a1587122390021411bc7ead6447590490499bc0d6023dcfebfbfe2ca3d8aef2896fd4343e4

    • SSDEEP

      393216:iuia5HFFqZsR641Y4YpvbYoady6H5jGbF:bHFb6411kUPi

    Score
    10/10
    cobaltstrikebackdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      df37a01547bcba1097616ca2da4fd2a5.exe.vir

    • Size

      1.0MB

    • MD5

      df37a01547bcba1097616ca2da4fd2a5

    • SHA1

      faf0fcfd48cd639c2d3bba52b0693fd3e6011bea

    • SHA256

      a7e1b48391e14f6d4531435b17ff22f4b4d2f522ee1c95edba21bb331acb5194

    • SHA512

      f649436c7a7b162f3d7744ff3309b2c6f13f65ce38d2286c9299458ae3e76337ad493e79d6e58d04dcc6da4ef7dc66c381443f7fa50231d3de64cb87fca9d44b

    • SSDEEP

      24576:/5Ctn/z/eJUqr2RX5ICkmnhWmwHH3QJOLQs+U6k7x:1xx

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      efe1804b12286c2f920959073f6267e3.exe.vir

    • Size

      9.5MB

    • MD5

      efe1804b12286c2f920959073f6267e3

    • SHA1

      be5cb3907dd4db71baa9abb014e7e783ba65c6bb

    • SHA256

      75eca04275d0d448a596141b167d76f750ad38c34d7e93a33745f2b70dadf8d7

    • SHA512

      766d8a9819674e2184a1aa45ad4026719c9cb2c0d8a3ee62a74339ddf8eeba0c8288592a3588693ccbb773f1b8c28b821ae0ea5bc51e96355a6e65785d8ccb22

    • SSDEEP

      196608:vNaRuVh7dQmRrdA6l7aycBIGpER/1q3+dgSDukTH0W8/La5qwLjmZ:YuVddQOl29uq3+d9Du+UW83Y8

    Score
    7/10

    • Loads dropped DLL

    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Scheduled Task

2
T1053

Privilege Escalation

Scheduled Task

2
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks