Overview

overview

10

Static

static

3

bd34bbcf94...4c.exe

windows7-x64

10

bd34bbcf94...4c.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c

  • Size

    4.2MB

  • Sample

    230810-qdj7nach65

  • MD5

    0d45a224e1bd75dc5573b8bb5ad028b5

  • SHA1

    d1c78f3d46ae95140901f4e4d345d58d5bde876c

  • SHA256

    bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c

  • SHA512

    d6d83008c08158b50802ad737e59af4a9f4928e6e796ad3efd2967e99375c52f14e37b45fb93fac57f7d723ce5d8f21485f90e659cc0752f8e72c39e92664538

  • SSDEEP

    98304:9s+t7z1QBri9v+04O2dB6wmwSyjov40BLauuOCc81VQLcMtKC:a+t7RQVi9okHWRaWufCRVQfj

Score
10/10
cobaltstrikemetasploit305419896backdoortrojanupx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://124.222.220.126:80/login.js

Attributes
  • headers User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://124.222.220.126:80/admin/login

Attributes
  • access_type

    512

  • host

    124.222.220.126,/admin/login

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAnUmVmZXJlcjogaHR0cHM6Ly93d3cuYmp0LmJlaWppbmcuZ292LmNuAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    5000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.82554112e+09

  • unknown2

    AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /admin/user

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

  • watermark

    305419896

Targets

    • Target

      bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c

    • Size

      4.2MB

    • MD5

      0d45a224e1bd75dc5573b8bb5ad028b5

    • SHA1

      d1c78f3d46ae95140901f4e4d345d58d5bde876c

    • SHA256

      bd34bbcf94d6d517038dca28f2e84d54d2f7e8f7b234bf67126b45281b27944c

    • SHA512

      d6d83008c08158b50802ad737e59af4a9f4928e6e796ad3efd2967e99375c52f14e37b45fb93fac57f7d723ce5d8f21485f90e659cc0752f8e72c39e92664538

    • SSDEEP

      98304:9s+t7z1QBri9v+04O2dB6wmwSyjov40BLauuOCc81VQLcMtKC:a+t7RQVi9okHWRaWufCRVQfj

    Score
    10/10
    cobaltstrikemetasploit305419896backdoortrojanupx

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks