Behavioral task
behavioral1
Sample
defc35870b938efd3d3ce07919ed5ee56f7164bb26425e92bb4c2d6c03661828.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
defc35870b938efd3d3ce07919ed5ee56f7164bb26425e92bb4c2d6c03661828.exe
Resource
win10v2004-20230703-en
General
-
Target
defc35870b938efd3d3ce07919ed5ee56f7164bb26425e92bb4c2d6c03661828
-
Size
153KB
-
MD5
97bacafea2e5b1fc7f5ae3fb8b870344
-
SHA1
a6437ce7a18be70126cf1440bc4dbc7791be442d
-
SHA256
defc35870b938efd3d3ce07919ed5ee56f7164bb26425e92bb4c2d6c03661828
-
SHA512
d78d8083e16c043c29c7717b71441aacf2ed8e3f25aa00d64e56e85432fc2e1244b0ff94afee8e4064e5ad09ab0ff4bbeb28da2c964cc1a08444adcb2631d0f7
-
SSDEEP
3072:YeWOtFB4MCx1SYgoL2j9gZ++93b2toxESFWIYZ23s9:YeWsIxQoL2N6bfhFAZgs
Malware Config
Extracted
cobaltstrike
http://res.youth.cn:80/meCore.min.js
-
user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: vip.iqiyi.com Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
Signatures
-
Cobaltstrike family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource defc35870b938efd3d3ce07919ed5ee56f7164bb26425e92bb4c2d6c03661828
Files
-
defc35870b938efd3d3ce07919ed5ee56f7164bb26425e92bb4c2d6c03661828.exe windows x64
9eeaf96080b8cc52b95f630937b57175
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
kernel32
GetEnvironmentVariableW
GetCurrentDirectoryW
SetLastError
RtlLookupFunctionEntry
RtlCaptureContext
GetCurrentThread
GetCurrentProcess
AcquireSRWLockExclusive
GetStdHandle
GetCurrentProcessId
TryAcquireSRWLockExclusive
SetThreadStackGuarantee
AddVectoredExceptionHandler
HeapReAlloc
WaitForSingleObjectEx
CreateMutexA
GetModuleHandleA
ReleaseSRWLockShared
GetConsoleMode
ReleaseMutex
GetModuleHandleW
AcquireSRWLockShared
ReleaseSRWLockExclusive
MultiByteToWideChar
WriteConsoleW
TlsGetValue
TlsSetValue
GetSystemTimeAsFileTime
GetCurrentThreadId
InitializeSListHead
FreeLibrary
GetProcAddress
LoadLibraryA
FormatMessageW
RtlVirtualUnwind
HeapFree
HeapAlloc
GetProcessHeap
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
WaitForSingleObject
CreateThread
VirtualAlloc
VirtualFree
QueryPerformanceCounter
CloseHandle
IsProcessorFeaturePresent
oleaut32
GetErrorInfo
SysStringLen
SysFreeString
ntdll
RtlNtStatusToDosError
NtWriteFile
vcruntime140
__current_exception_context
__C_specific_handler
_CxxThrowException
memmove
memset
memcmp
__CxxFrameHandler3
memcpy
__current_exception
api-ms-win-crt-runtime-l1-1-0
_exit
exit
_set_app_type
_configure_narrow_argv
_initterm_e
_initterm
__p___argc
_seh_filter_exe
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
terminate
_get_initial_narrow_environment
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
__p___argv
api-ms-win-crt-math-l1-1-0
__setusermatherr
api-ms-win-crt-stdio-l1-1-0
_set_fmode
__p__commode
api-ms-win-crt-locale-l1-1-0
_configthreadlocale
api-ms-win-crt-heap-l1-1-0
free
_set_new_mode
Sections
.text Size: 109KB - Virtual size: 108KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 36KB - Virtual size: 35KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 744B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 5KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1024B - Virtual size: 940B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ