Overview

overview

10

Static

static

10

f77b9f339c...9b.dll

windows7-x64

10

f77b9f339c...9b.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f77b9f339ce0c619ff9e1d19ff4ece0b1af0b274b0702be42b7f18fc51e7a89b

  • Size

    9KB

  • Sample

    230826-3yaj6sec58

  • MD5

    65965a634ca04dc656e01a33ac11d2dc

  • SHA1

    e432e3a15a005fa0fc9a2e7de2e8722eae8af99b

  • SHA256

    f77b9f339ce0c619ff9e1d19ff4ece0b1af0b274b0702be42b7f18fc51e7a89b

  • SHA512

    d93876733785a76cea3c58643d93fb4b0aa096381844703bd9d26cb931dd9b14049d9124f4cec65ab8418caca44288db2e200b8490b24078033fb1712539eb3f

  • SSDEEP

    192:oa+WXeg+5MLpQd9cuWIPWJ9H1jOLP3tf3MjHaZ3Vv:HVe0pQdfeJvjw9saZFv

Score
10/10
cobaltstrikemetasploit1backdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://sfioa-express.intlsdcn.com:2096/sflink-client/reportdatasvr/b6e95a48-ff6c-fdc2-182e-442bc82fdcfc

Extracted

Family

cobaltstrike

Botnet

1

C2

http://sfioa-express.intlsdcn.com:2096/services/rule-package/sflink/updates/2679521d-ef7a-8507-8130-150fb28f5cda

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    sfioa-express.intlsdcn.com,/services/rule-package/sflink/updates/2679521d-ef7a-8507-8130-150fb28f5cda

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    13312

  • polling_time

    85465

  • port_number

    2096

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcC7PQo8o9bAWDGWqCAZ/perRPQCbqcO3sDKcC8JP/ap9pDqcx4LEnG6Yc174apQCxrgrxh9EQmtTqmbECk97G0vAm+cq1cMxzUynju5ksHq0Tve4aDPmLyip3HajJV2ahzRPY90oEZ5KlgNosGqaMAHkzs59kczR6MmkDKX8KHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /services/support/dig/1f3063fb-144a-a5a2-bc62-9b3f1644e299

  • user_agent

    sfink-client

  • watermark

    1

Targets

    • Target

      f77b9f339ce0c619ff9e1d19ff4ece0b1af0b274b0702be42b7f18fc51e7a89b

    • Size

      9KB

    • MD5

      65965a634ca04dc656e01a33ac11d2dc

    • SHA1

      e432e3a15a005fa0fc9a2e7de2e8722eae8af99b

    • SHA256

      f77b9f339ce0c619ff9e1d19ff4ece0b1af0b274b0702be42b7f18fc51e7a89b

    • SHA512

      d93876733785a76cea3c58643d93fb4b0aa096381844703bd9d26cb931dd9b14049d9124f4cec65ab8418caca44288db2e200b8490b24078033fb1712539eb3f

    • SSDEEP

      192:oa+WXeg+5MLpQd9cuWIPWJ9H1jOLP3tf3MjHaZ3Vv:HVe0pQdfeJvjw9saZFv

    Score
    10/10
    cobaltstrikemetasploit1backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Blocklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks