Overview

overview

10

Static

static

10

2023-03-24...ke.ps1

windows10-1703-x64

10

Docs_Unpaid_#233.exe

windows10-1703-x64

10

Docs_Unpaid_#233.zip

windows10-1703-x64

1

Ogwebd4.dll

windows10-1703-x64

3

license.dat

windows10-1703-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2023-03-24-IcedID-and-Cobalt-Strike-malware-and-artifacts.zip

  • Size

    2.1MB

  • Sample

    230328-pa7ccace5y

  • MD5

    987cf1182485dbb8f4e7c6a19e56db64

  • SHA1

    9cb381c54ab5b4ba02a00e8bea9d63cf21a216d9

  • SHA256

    b1e8a8308e3e782b8d546ee5b6de23a7df4b2134d0b5e4d0556635fbe3b01104

  • SHA512

    26fd874ebec3b1a9d4e97cb568ac187dc7c7507790af7d13c40d1a6259a1e7166ff706dcc5b2a5562ff1adc0f95029d69cf8c67a54d3adff68628fc14ab903a3

  • SSDEEP

    49152:K4mEgtXl73XOELkj6aV30M+InjwpXn74Q4CRhJCjVn8p:Zm/l7r9al0gnjwV7gCTWVnq

Score
10/10
cobaltstrikeicedid6740544861883783121backdoorbankerloadertrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

674054486

C2

http://voiceinfosys.net:80/es

Attributes
  • access_type

    512

  • host

    voiceinfosys.net,/es

  • http_header1

    AAAAEAAAABZIb3N0OiB2b2ljZWluZm9zeXMubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAASQWNjZXB0OiBpbWFnZS9qcGVnAAAABwAAAAAAAAALAAAAAwAAAAIAAAAUd29yZHByZXNzX2xvZ2dlZF9pbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABZIb3N0OiB2b2ljZWluZm9zeXMubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAANAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    11008

  • polling_time

    58716

  • port_number

    80

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaznbxNcZ0dXD4A3zagH1WOETphSlB8n6ESc9JXFKJjJnRMNtkv3xmhMwY6UC1e51klf5h1MjpT3aRKsd+6wWYNcS+RpVjqVf50rpkGmDnEAXl7WiRM7dtdSNqIGPfEoM8fQRYu5BGqQS65JvmOxEZ078DO4X/qez/F+XGq/kkwwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.272630272e+09

  • unknown2

    AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /af

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246

  • watermark

    674054486

Extracted

Family

icedid

Campaign

1883783121

C2

liguspotforsit.com

Targets

    • Target

      2023-03-24-PowerShell-script-for-Cobalt-Strike.txt

    • Size

      226KB

    • MD5

      57736120aa9346d8c52a7331f7c9f625

    • SHA1

      e3e3bd59139948d00401184aed5ddf393cb7cd12

    • SHA256

      67f83398e4b96573dd999384827d0441f8b3face1e8395f5533c1d95e9c3cacd

    • SHA512

      0d566fd6322847d7b081b6a2ca0cc484d9afe7b757ce4251e8e4c5fa740e514743cc94a32fa3cc62e79dabde1bfa98e58c7e5f2b3d03fe83e7682647ec37fddc

    • SSDEEP

      6144:+q/iX4GAn/aN/R01/u9apA4L25kaG8TCGcyvp0QgY1PCG:9/iX2/GI/u9an25kd8TCGrvp+YYG

    Score
    10/10
    cobaltstrike674054486backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Blocklisted process makes network request

    behavioral1

    • Target

      Docs_Unpaid_#233.exe

    • Size

      619KB

    • MD5

      4769f980cca32793eeb67997a644491e

    • SHA1

      c55169eb2f48953863f50d97b893fdbe80df0313

    • SHA256

      1b49da1d8b3ba5135030fd494033b30aa58393eeedf53ea0dd2ecf2715a8e6c8

    • SHA512

      363b9aa38a0e2e21e4b54642acf15c0cddb84087500576e1fdead03cc8b6db2dd9f673e3f1b70de5bf6736c17cdabb8edf842dadccdaf1329af7df27be7ec679

    • SSDEEP

      12288:h3DkjpFTq1yZrs7H0x7llP40bG70ckzuX110h:h36TndsT0tjQ0bG70ckzuX110h

    Score
    10/10
    icedid1883783121bankerloadertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid
    behavioral2

    • Target

      Docs_Unpaid_#233.zip

    • Size

      332KB

    • MD5

      a6845d6928a3ede53e013140c9dae5f9

    • SHA1

      52073b12e70240dbf51cf1350799815aa3ecf1ae

    • SHA256

      ef768753d6d4d26ba921a09be5b300b9f7bba070ef6847379490b4c1ec85ceb8

    • SHA512

      66873ccd97df8e1888e8e3b78c9e4e90ddddda1a9e3d76d7bd6aae79e3eaaed49edd5dfcfb748692fe62b01bb4e86e39cc749521062d167bed8b547134df0d5b

    • SSDEEP

      6144:qrWnxdFPIWZAkVczmJeMpmBJd5KZRyA1T6HM4wr7NAn63f/k:qynxzlGyw8eMWaZgary63Hk

    Score
    1/10
    behavioral3

    • Target

      Ogwebd4.dll

    • Size

      349KB

    • MD5

      a29b31a17f3c5c22ef69beb3d4f3e082

    • SHA1

      2d4bf92dd9886bd02ada7038065a67da8ce5dec1

    • SHA256

      ead75f569dfb8e27c8f9f246172aab9d5481301a1d6e663287dc8b49fae68fd8

    • SHA512

      657269c3def0073f1c0732fdfa494361b04b769c7bb7ca8f6d348ab25044585d5b75808b9c9a7f9ca5d9fc30dc16c292b262c395271ca4936b0a4cbac965b96b

    • SSDEEP

      6144:xCjcxL6bkMII9f3JPNxsxqyLvHYdmGpfS3QmZSs:xCjcxOhfZNX+iR6DZS

    Score
    3/10
    behavioral4

    • Target

      license.dat

    • Size

      346KB

    • MD5

      bff696bb76ea1db900c694a9b57a954b

    • SHA1

      ca10c09416a16416e510406a323bb97b0b0703ef

    • SHA256

      332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953

    • SHA512

      8d2ec1aef3a037655a20368cc0554340f5a921124121ecdc58d7f85a04f27c8356228a9f175214874ed9ada6465b9dbbdfd0f712df110df012472452db3bc030

    • SSDEEP

      6144:rlH1wh3kbzrALzYiR1TluF5vXxRER9VxDxb5I6ATsL84sL4QVhbIcb4s2Av74Y2j:rlH1w0z8zHnTlSB89/t9rATsL8mQPvbq

    Score
    3/10
    behavioral5

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks