Overview

overview

10

Static

static

3

764a964ab9...30.exe

windows7-x64

10

764a964ab9...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2023 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    764a964ab9efffc2ec3625b62ae6d0fedab076e8f79513877db41b4699a39d30.exe

  • Size

    449KB

  • MD5

    7eb501e8240ff1a0fa1bcf1c32dac522

  • SHA1

    d5a62d1b30c7c5dd9d8f35d7038eea6bb7fa160c

  • SHA256

    764a964ab9efffc2ec3625b62ae6d0fedab076e8f79513877db41b4699a39d30

  • SHA512

    aff845acf5f9c61b9cf28d9c1c56f3907e3ed584a63fea972f9ec946931b13516eba8956293606588b1db22cc4bddba93e4e82b0edd7b0dc75d0f7b08046c173

  • SSDEEP

    12288:dByDA7Uvb5n8phWpbIYL+jbnASKU5OEUcO:dByDA7KJih0L0nAjUsC

Score
10/10
cobaltstrike100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://111.177.3.35:80/api/v2/Sysconfig

http://118.182.249.49:80/api/v2/Sysconfig

http://58.243.203.35:80/api/v2/Sysconfig

http://122.228.115.35:80/api/v2/Sysconfig

http://219.151.25.35:80/api/v2/Sysconfig

http://175.6.53.35:80/api/v2/Sysconfig

http://219.152.185.35:80/api/v2/Sysconfig
Attributes
  • access_type

    512

  • host

    111.177.3.35,/api/v2/Sysconfig,118.182.249.49,/api/v2/Sysconfig,58.243.203.35,/api/v2/Sysconfig,122.228.115.35,/api/v2/Sysconfig,219.151.25.35,/api/v2/Sysconfig,175.6.53.35,/api/v2/Sysconfig,219.152.185.35,/api/v2/Sysconfig

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    35000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCybUBngQWbCUzDYGsNNcmiOKH3SjEhpdMBnS9p6/sg+5sXNN938wG3CHFdLVwe07hcR/tNphXX0cNJ603xQiq8b5WbD+vm/UGnftlCmWrB1dw76eR8LAgiaX75iRIIj7acafXBGmiYzgXnMZAd3RdL9tERhkaHU0C2ssOCLRHUKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/v2/TimezoneUsingPost

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

  • watermark

    100000000

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\764a964ab9efffc2ec3625b62ae6d0fedab076e8f79513877db41b4699a39d30.exe
    "C:\Users\Admin\AppData\Local\Temp\764a964ab9efffc2ec3625b62ae6d0fedab076e8f79513877db41b4699a39d30.exe"
    1⤵
      PID:1796

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1796-134-0x00000000060B0000-0x0000000006522000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1796-133-0x0000000005060000-0x00000000050A1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/1796-135-0x00000000060B0000-0x0000000006522000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1796-136-0x0000000000400000-0x00000000004A6000-memory.dmp

      Filesize

      664KB

      Download