blister | 0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00

General

Target

colorui.dll
Size

879KB
MD5

a91ba8f4a339a98fa94e810831e83d96
SHA1

871e52778597185f98eb0a57127024bcd094cf07
SHA256

0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00
SHA512

ac6fb57225f0765f40ee298e12d430d45e5d9b59f16742cb4c32f56b5663c244dad47d7c80a1919e09f4f9edc3ad0ac4645ee6aff9925c5d860651593f0b1a3e
SSDEEP

24576:AoqhXglZsUW76pC+BUZP5IVjt8Ib09JAIX:AoqXgl+R+BUZP5IXb0v

Score

10^/10

blister cobaltstrike 1580103824 backdoor loader trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103824

C2

http://DiscountShadesDirect.com:443/safebrowsing/mltNSalU/gmMyWyjy7MOa4RBmFE0bOlGBBE8t

Attributes

access_type
512
beacon_type
2048
host
DiscountShadesDirect.com,/safebrowsing/mltNSalU/gmMyWyjy7MOa4RBmFE0bOlGBBE8t
http_header1
AAAAEAAAAB5Ib3N0OiBEaXNjb3VudFNoYWRlc0RpcmVjdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAANAAAAAgAAABJSRUY9SUQ9dm5wS1N2WlRab2kAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAB5Ib3N0OiBEaXNjb3VudFNoYWRlc0RpcmVjdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAANAAAAAgAAAA1VPXZucEtTdlpUWm9pAAAAAgAAAAdSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10240
polling_time
13000
port_number
443
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/safebrowsing/yvn36q/nRvQ93V4pQUJDehCv1EdYchQKu1mTro9R5XuNcnA
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.34 Safari/537.36 Edg/81.0.416.20
watermark
1580103824

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detect Blister loader x32 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1820-133-0x0000000017170000-0x000000001724F000-memory.dmp	family_blister_x32

Blocklisted process makes network request 5 IoCs

flow	pid	Process
47	1820	rundll32.exe
49	1820	rundll32.exe
50	1820	rundll32.exe
51	1820	rundll32.exe
52	1820	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1820	2796	rundll32.exe	83
PID 2796 wrote to memory of 1820	2796	rundll32.exe	83
PID 2796 wrote to memory of 1820	2796	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\colorui.dll,LaunchColorCpl
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\colorui.dll,LaunchColorCpl
  2⤵
  - Blocklisted process makes network request
  PID:1820

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WinEngineSvc\WinEngineSvc.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/1820-133-0x0000000017170000-0x000000001724F000-memory.dmp

Filesize
892KB

Download
memory/1820-140-0x0000000003590000-0x00000000035C4000-memory.dmp

Filesize
208KB

Download
memory/1820-141-0x00000000035D0000-0x0000000003631000-memory.dmp

Filesize
388KB

Download
memory/1820-142-0x00000000035D0000-0x0000000003631000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing