Overview

overview

10

Static

static

1

Desktop/2f...53.exe

windows7-x64

10

Desktop/2f...53.exe

windows10-2004-x64

10

Desktop/50...92.exe

windows7-x64

1

Desktop/50...92.exe

windows10-2004-x64

1

Desktop/bb...26.exe

windows7-x64

1

Desktop/bb...26.exe

windows10-2004-x64

1

Desktop/ed...74.exe

windows7-x64

1

Desktop/ed...74.exe

windows10-2004-x64

3

Desktop/ff...c8.exe

windows7-x64

1

Desktop/ff...c8.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.rar

  • Size

    888KB

  • Sample

    230331-p5dcrahe85

  • MD5

    aa38ce76b39887b3f453bc682f0bb839

  • SHA1

    74f1643cb1151756fb7d496e8d29745fb0a7b4d1

  • SHA256

    b6fa6c6eda847b0886239c298632deca91411bebd2a05dde31f0a373a8558154

  • SHA512

    7d2a3645418678c521b22115d27718c24cc765be49aec1ba066c512ecd4fb41582abefe1d0a4eee7a5f8819c8591342ba5bba72a13c102974f2b7b24720c94bb

  • SSDEEP

    24576:ELMUHmPL/NopUdBd8n8/DNKuqVTygDfyqrIY:8G7NQA5hKuqDBr7

Score
10/10
cobaltstrike99999backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

99999

C2

http://service-pjo6e71f-1259689902.bj.apigw.tencentcs.com:443/api/getit

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    service-pjo6e71f-1259689902.bj.apigw.tencentcs.com,/api/getit

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    3000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCU0m7H1l2AP44i7L/wgxQAhx3FVvY8t2GPssMT+CnCAm/OMdzDuwEeAoovm9zMGaOLQR22rnxnhBbzPfpLtOtIH8ItUoIzPY0O2+0Xw8mj9ctJlAFb5QBneSJhY7AldZD6ghCXWdEoLKe7cTnrO0t2etFCBILTaT+oSw2lqwFIYQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/postit

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63

  • watermark

    99999

Targets

    • Target

      Desktop/2f0812f7f7905937a82c3a755c40becf63e0d6ed39f212ac931774dfdf338d53.exe

    • Size

      373KB

    • MD5

      d82eb76b428bb814965baa059e4b15c0

    • SHA1

      468ad6d157589afbc055233ca6d9fb1e43f192ef

    • SHA256

      2f0812f7f7905937a82c3a755c40becf63e0d6ed39f212ac931774dfdf338d53

    • SHA512

      06cb2dc0f0c4de91ca579db6365092b415a626d7daca1775c433fb35f3ce79190b0853088b75168e4e87b301036600fe73649342e55f42f8a1d663f0ec1b805f

    • SSDEEP

      1536:2zrkW1mfdT631H2vvspStlLEWEqg6Gy2Jx/8LK6u3EwArdNuNUsWUzcdDs8cn8:s9mfRtXsYfFg6GlJ7GrdNOrCDshn

    Score
    10/10
    cobaltstrike99999backdoortrojan
    behavioral1behavioral2

    • Target

      Desktop/50135b3cd8e475e98d6e1c9886bb8cd10f400096dfc840f174fc4545fb0a3b92.exe

    • Size

      221KB

    • MD5

      812e6a209b063b65661987c557cf9971

    • SHA1

      3c0709db8983a91cb32b464fba7ce3af396758c3

    • SHA256

      50135b3cd8e475e98d6e1c9886bb8cd10f400096dfc840f174fc4545fb0a3b92

    • SHA512

      6173d24eb79796b7a78dc193c62964acc5e8533ce82379854b78f3cd3fdc3b5a3eb255b47493ced7c769c862196fe3e90463c51597f481c43798ee8d5aa96962

    • SSDEEP

      3072:hvTiJQepu4he4l6Yjyb453JwmuRljmScpBl9PLa3d+EIeHEjktcv1oKGys85fCp:hiAWOy3JwHRlinBl9PLBgWCp

    Score
    1/10
    behavioral3behavioral4

    • Target

      Desktop/bbbd5d0aef3c2cfa296cee376dea6d7eb777a9c12140aed1a7c2c8d6ecda1e26.exe

    • Size

      25KB

    • MD5

      953f090e710bd66e07e83c82afff4d9c

    • SHA1

      c49dce1cdf5bab3e641a736a6c07015e963860f9

    • SHA256

      bbbd5d0aef3c2cfa296cee376dea6d7eb777a9c12140aed1a7c2c8d6ecda1e26

    • SHA512

      8f2377dacfd5ee1a2ba5c3da88525ce50a68b2fd35bc65c71056148cb0d6ec5925b2d379ed5fbaab2416234b19f16dbd16a38d6be182381cb2f619089c5562f7

    • SSDEEP

      384:15ZYpNGs0U92jj6hCWyv0T4gjGShWM8rZLNr3BNAeIwtPcn3CAm9OZN9MNssq:daNGLU92KgbG4WXWHVTPIwtccakT

    Score
    1/10
    behavioral5behavioral6

    • Target

      Desktop/ed902b16d454afd9d3a972e0dbe5d46e5f5b0da01e5e763069f149f07cbaf274.exe

    • Size

      1.4MB

    • MD5

      8fe73841d539ff5dc04b7d3bc6e35261

    • SHA1

      c532882885eeeda07741e0c4d1676f9116612486

    • SHA256

      ed902b16d454afd9d3a972e0dbe5d46e5f5b0da01e5e763069f149f07cbaf274

    • SHA512

      a7ba8bb7dc4642293cf67d2c7098e3b9fdb9d112b5cc219e4fa8b138830442ff458c2ac551d4519463b8df8c3c4d8e0e74ec54b6bcdbf4369de2b20cddfa7a68

    • SSDEEP

      24576:SDZcOnRuUC2ywJ1/ogGKGShlgla+5BSiK1nP3LLuuQti0UuxcC:SDZHs8gla+5UiK1P3790Uux

    Score
    3/10
    behavioral7behavioral8

    • Target

      Desktop/ffd5738de2af368a497d3a2020bb51ed380b00f3eb4abefa835c362ec7df8bc8.exe

    • Size

      14KB

    • MD5

      467e7c118e4b1176d20da062012b1a3b

    • SHA1

      26be3d886bfcdf1cbc2c5daf9790cd9af33283f7

    • SHA256

      ffd5738de2af368a497d3a2020bb51ed380b00f3eb4abefa835c362ec7df8bc8

    • SHA512

      6a5ed6aab2488558c88ec6e13ae3f852594037c64a7a0441af2e73e0c5ba89547d34345d22094c2cbb7f9a94eb07864b7650698495928b8bb52f4d87c59578b9

    • SSDEEP

      192:KOnfCFyCoS0gdPke85YFUj/zxesqfa3Q5gKcqh:pgdV8p5YFUj9Z3Y

    Score
    1/10
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Remote System Discovery

1
T1018

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks