cobaltstrike

Resubmissions

20-07-2023 02:57

230720-dfnxeach9s 10

22-03-2023 14:36

230322-ryxtxsbc3y 10

Sharing

Copy URL

Twitter E-mail

General

Target

顺丰2023年4月裁员名单.rar
Size

3.4MB
Sample

230720-dfnxeach9s
MD5

d6f0cdd9395be68ff764dd2fc6618575
SHA1

4a423b7ba43622bf1be390509fd16f1c72317cd9
SHA256

eb04cb22cca9a31dbcc6495e692a0f5e2a50e7e6912182c3de01517d3b4a59a6
SHA512

4005e1f1e3ac753bd1fa975ea036033378115e6a7ba993b172099bd2038db20663f6f416ace6a216536e3f97fb403c03b6c4dbec720c79ef98c5abb10236a201
SSDEEP

98304:57S1EFvSrA7BiecrPoR965t2+WweP+74Xt:57S1EFvYIBdOY9650UePJt

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://bsupport.huawei.com:80/audiencemanager.js

Attributes

access_type
512
host
bsupport.huawei.com,/audiencemanager.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
30000
port_number
80
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEhSlSrqe08fqi2sm/HDDQ/TULIO/SwoS+x4kBoCzrWo49EzP4g4IiU4V9blbEBfc48fOrI7vVMRHBnnibaOsgAgnfzQ7n2/jw3af65qHQSOgbt8SSfs36WfCbzPKMc1tGpgiqYG+hAFGu/snKl0iZSddRLL8csTaipueoauIGWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.435374848e+09
unknown2
AAAABAAAAAEAAAf+AAAAAgAAIUwAAAACAAAPtQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/audiencemanager-v2.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Targets

- Target
  
  顺丰2023年4月裁员名单/2023年4月裁员人员名单.doc.lnk
- Size
  
  1KB
- MD5
  
  c4273f81b467411ecf04f3d738ce7d46
- SHA1
  
  dbf01e0b38962457605f2ca6a0fe6cb0796606be
- SHA256
  
  223aa57937a946d01b70ee4d5be7862edf7923a8f8b8fbb2cbecfd836d786533
- SHA512
  
  69115a4d18cfea01a41adffae2d81a7be1bc65abf14f2b0cf16d99a00c60c3f6f71b2a48f9bcfe9736b6998b0cf0b893d2fdf510cccf3a08d14025cc23179304
Score

10^/10

cobaltstrike 100000 backdoor trojan 0
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  顺丰2023年4月裁员名单/清单列表/.__MACOSX__/闕ｳ�ｭ隴�/._MACOS_/NisSrv.exe
- Size
  
  2.5MB
- MD5
  
  00807cb535815226ee686eb91a2a656a
- SHA1
  
  057bde96c8640763e9c85f0dc191d106eecd78c6
- SHA256
  
  3bbaa72413571b18979428250cc34ee4f8db54cbf092192b076aeaaeb66e2bcd
- SHA512
  
  a3bfcfd402d126facd1fec445758099b23c4a09dd58a0d2a7faaba14bd289b0892820bc07e3f0e904a5e6819cfdbb35da8cf65e57ad3c30e97b4feac2a5c421c
- SSDEEP
  
  49152:Wqgyd/DHXBgnqPi3W0EfLckdKO+EER8JXO:sKRIsM
Score

10^/10

cobaltstrike 100000 backdoor trojan 0
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral3 behavioral4
- Target
  
  顺丰2023年4月裁员名单/清单列表/.__MACOSX__/闕ｳ�ｭ隴�/._MACOS_/apt.vbs
- Size
  
  265B
- MD5
  
  a513cda58ecfa219a487807b3e41c6e4
- SHA1
  
  4beb5b4e9011113fa46dc4012f2636de2fbfa602
- SHA256
  
  7f759dc9bd152d933acab73cd2710324ba1ee063dd7af602825847eb1b7ae825
- SHA512
  
  cfb620c5e3cbecb5dcf88fc0c718db038bb1cb0330d5504c5f878c057089881d73b441b6d39af9b6e1e79112db840d9706417888c1a1bdd09b4cb50b6ed300a7
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6
- Target
  
  顺丰2023年4月裁员名单/清单列表/.__MACOSX__/闕ｳ�ｭ隴�/._MACOS_/mpclient.dll
- Size
  
  7.7MB
- MD5
  
  8921c19346490f493f5860e192be89a5
- SHA1
  
  e04ec95bc4dd5d60f178e9e5a2c77bae9614abac
- SHA256
  
  c4cf4690034dbba494e659c69a4b17904afb9a346b1533c6060c418cf5f03ec3
- SHA512
  
  75c6ba71d8e45e961ca83af05420658a1c021fb4e907be921e7d332f875bb1157bcd8ee047074cc0838d2b0d540a3c6577252360721772f52a57571aca458caf
- SSDEEP
  
  49152:wbuLeRpgCqf87rb/TcvO90d7HjmAFd4A64nsfJNmxJz0DB60wTdI0AqXi/yqozRK:TkqwVYGLRYhLjhXr1EHeEiRJ
Score

3^/10
behavioral7 behavioral8
- Target
  
  顺丰2023年4月裁员名单/清单列表/裁员清单.xlsx
- Size
  
  12KB
- MD5
  
  a5e8de2e92ed653fd5743033420e5f19
- SHA1
  
  6de442e26d8ca063813093947dd95827c20f94e7
- SHA256
  
  a9653d71c07ca55b556019f245eb71dd6d66ea8bb3d81a6c3c7bb926ec574715
- SHA512
  
  3d06526b3f5672ac09eb7ef547dd8d18f2302e7c7b8816471cd33d94b2787801121c8d234d03a430a267e803cc72c8afac27b3f09f47ffd321eb6d8be948032e
- SSDEEP
  
  192:Bs2Hv2ObsIZzavtQryWSQzjJ2BflLgSt3Y9tldo2aXs:Wqv2MsmKQ/nJ2RV/t3Y1dzaXs
Score

1^/10
behavioral10 behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Targets

Checks computer location settings

Cobaltstrike

Cobaltstrike

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10