Overview

overview

10

Static

static

1

index.html

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    index.html

  • Size

    4KB

  • Sample

    230619-w4mclaff26

  • MD5

    bcb91d94e5359742b397307b751f40dd

  • SHA1

    41eeb7840d851d96191ded61b04cfe1848e6b5dd

  • SHA256

    e5d6646832d99660132fb5d60ff398c2133c3ed4e365a8206bbb91c394d84abe

  • SHA512

    6f28027d0c0bc210df05a9ea53acf20476177a2bdfb6b8c821788b0a019af6873a299718ac1cdd98bbf8d78e85ed6fab8ebcfd6d963293cf208ffe78ceef1fc8

  • SSDEEP

    96:ZHE4M7RTkFHbOAvZAkYBkhvOy85gyjX4uTwEBZMFWKvlT4ap:dxM7RTkE8YBa785gyj30EBZMFWKvlT4u

Score
10/10
cobaltstrikebackdoorcoreentitydiscoveryevasionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      index.html

    • Size

      4KB

    • MD5

      bcb91d94e5359742b397307b751f40dd

    • SHA1

      41eeb7840d851d96191ded61b04cfe1848e6b5dd

    • SHA256

      e5d6646832d99660132fb5d60ff398c2133c3ed4e365a8206bbb91c394d84abe

    • SHA512

      6f28027d0c0bc210df05a9ea53acf20476177a2bdfb6b8c821788b0a019af6873a299718ac1cdd98bbf8d78e85ed6fab8ebcfd6d963293cf208ffe78ceef1fc8

    • SSDEEP

      96:ZHE4M7RTkFHbOAvZAkYBkhvOy85gyjX4uTwEBZMFWKvlT4ap:dxM7RTkE8YBa785gyj30EBZMFWKvlT4u

    Score
    10/10
    cobaltstrikebackdoorcoreentitydiscoveryevasionpersistencespywarestealertrojan

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks