Overview

overview

10

Static

static

3

【长安�...��.exe

windows7-x64

10

【长安�...��.exe

windows10-1703-x64

1

【长安�...��.exe

windows10-2004-x64

10

Resubmissions

13-08-2023 14:48

230813-r6nk8adb44 10

13-08-2023 14:42

230813-r3da3sdb24 3

Analysis

  • max time kernel
    2228s
  • max time network
    2230s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2023 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    【长安马自达服务部】张国子服务申请表.exe

  • Size

    7.4MB

  • MD5

    fe5041436b0b3794a38cc35a3decdd5a

  • SHA1

    ef586c4e74c90064d9512e36d082c82cc30c0494

  • SHA256

    6c7f8b417df33726f5660ddb3eb8f7fb4ea09b36db55fafbc72b54bdb57ff597

  • SHA512

    5cc5137710861949ab52fa6f580af2f1754c31af012aa8ad3e3f094164d6e00cb2257ff69c5820ad5a4b2b933acd111299087761b7d4d440ed942d589d0f491d

  • SSDEEP

    3072:wUGWFt7bjNfdC0vEpFyevAbGJ6Tftx3CLt/f:hFTfdC0sLjvMhat

Score
10/10
cobaltstrike93347backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

93347

C2

http://download-file.oneban.cn.o8e48uqf.aidns.host:443/jquery/2.0.1/jquery.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    download-file.oneban.cn.o8e48uqf.aidns.host,/jquery/2.0.1/jquery.min.js

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAdSG9zdDogZG93bmxvYWQtZmlsZS5vbmViYW4uY24AAAAHAAAAAAAAAAMAAAACAAAAClNFU1NJT05JRD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAAEAAAAB1Ib3N0OiBkb3dubG9hZC1maWxlLm9uZWJhbi5jbgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCek/k6ZlMdPp5Nf9Y+sbrQEVw8hF5hJboZPLMMEXhePjTnsFvL8BI2W9nn0U2b6xI0foyxkeu7oSD6dYBVwK0jNIjBZ1t/dOUKeJ655/kxXjsagY9ANKx/qTtvakHYsTqhOsrxLw1pjVGiTA8kA0pGlpc5Dx+8K3g5//1xIOKjFwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.16770176e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAD64AAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery/2.0.2/jquery.min.js

  • user_agent

    Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)

  • watermark

    93347

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\【长安马自达服务部】张国子服务申请表.exe
    "C:\Users\Admin\AppData\Local\Temp\【长安马自达服务部】张国子服务申请表.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2660-55-0x0000000000010000-0x0000000000784000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/2660-56-0x0000000000D70000-0x0000000000E0F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/2660-57-0x00000000008C0000-0x00000000008DF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2660-58-0x0000000000E10000-0x0000000000F3D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2660-59-0x0000000000B00000-0x0000000000B41000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2660-60-0x00000000021C0000-0x0000000002289000-memory.dmp

    Filesize

    804KB

    Download

  • memory/2660-61-0x0000000002290000-0x0000000002301000-memory.dmp

    Filesize

    452KB

    Download

  • memory/2660-62-0x00000000027C0000-0x00000000028C9000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2660-63-0x0000000001780000-0x0000000001BF2000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2660-64-0x0000000000B00000-0x0000000000B17000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2660-65-0x0000000003F70000-0x0000000003FC5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2660-67-0x0000000004570000-0x00000000045D4000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2660-66-0x00000000044F0000-0x0000000004561000-memory.dmp

    Filesize

    452KB

    Download

  • memory/2660-68-0x0000000004550000-0x000000000456E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2660-69-0x0000000005610000-0x00000000056A9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2660-70-0x0000000005A00000-0x0000000005A74000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2660-71-0x0000000005A80000-0x0000000005A98000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2660-72-0x0000000005D20000-0x0000000005D34000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2660-73-0x0000000005D40000-0x0000000005D4C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2660-74-0x0000000000B00000-0x0000000000B41000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2660-83-0x00000000058E0000-0x0000000005954000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2660-84-0x0000000005980000-0x000000000598C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2660-85-0x0000000006030000-0x00000000060A4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2660-86-0x0000000005900000-0x000000000590C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2660-95-0x00000000059E0000-0x0000000005A54000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2660-96-0x0000000005AA0000-0x0000000005AAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2660-99-0x00000000056C0000-0x0000000005734000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2660-100-0x0000000005770000-0x000000000577C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2660-102-0x0000000005760000-0x000000000576C000-memory.dmp

    Filesize

    48KB

    Download