Overview

overview

10

Static

static

3

8.27.exe

windows7-x64

7

8.27.exe

windows10-2004-x64

3

office安�...��.exe

windows7-x64

8

office安�...��.exe

windows10-2004-x64

8

pdf.exe

windows7-x64

1

pdf.exe

windows10-2004-x64

3

test.exe

windows7-x64

1

test.exe

windows10-2004-x64

1

企财险�...��.exe

windows7-x64

10

企财险�...��.exe

windows10-2004-x64

10

截图1-8.exe

windows7-x64

8

截图1-8.exe

windows10-2004-x64

8

方案D.exe

windows7-x64

1

方案D.exe

windows10-2004-x64

1

苏宁系�...16.exe

windows7-x64

1

苏宁系�...16.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Download.rar

  • Size

    22.3MB

  • Sample

    230828-re1rgaee4y

  • MD5

    ac2fce48d4f397fcfdf040cb719250b8

  • SHA1

    758c7846767bff96a54ce5abe8dc3afb81ad4dbf

  • SHA256

    116e125944d93764b578f1b8f3d21b35e2498d93e6790e936aaed83a30b88fc8

  • SHA512

    7d8094bd2b01df403cd51e1c8096cc08c86788d06a185579b0fe7985057aad4471b967dcb4ddeeb9e941eef4e0bad667bd94494da708ae5c1bb24f7028e8715e

  • SSDEEP

    393216:dqgOBHa3U7ZHw7N79o3oH9cZ24cc9nmVUPWkjl/am6j7CRwcW9TJ7ykAIEwstJ7m:9OBHa3WZQ7N7aIcZ24pjlj6juwcW9UfU

Score
10/10
cobaltstrike0666666backdoorpyinstallertrojanupx

Malware Config

Extracted

Family

cobaltstrike

C2

http://62.234.179.51:8900/5nqI

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MANM; MANM)

Extracted

Family

cobaltstrike

Botnet

666666

C2

http://62.234.179.51:8900/g.pixel

Attributes
  • access_type

    512

  • host

    62.234.179.51,/g.pixel

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    8900

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaRzoJpfOzPCpbuH6RtQBTQBC74ZKHlqDhUU5cLu3ETia0IQl5CHg7X+kU0dDvwqEft4jA5qkuJTOKWM6JsLI+9HVmhluZwQowZ1uQG7WDrBIN5Os72l4KuJko1TihBYQP0GippZDUx+CcqrXOaH9U5QBAaKUeDDOtZ2VjboR58QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; InfoPath.3)

  • watermark

    666666

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Targets

    • Target

      8.27.exe.vir

    • Size

      5.8MB

    • MD5

      aee4cdb0baf5e87e678a5849f724bd9d

    • SHA1

      4a4fc2b674433b0ff0942f9c8d3ab9a07f2f39c3

    • SHA256

      6d18277394b37050a7b84ace8ce85d6d2dda6412e51e306129b8cfc94855b2f9

    • SHA512

      f98bdddc7f54936eec21906a9d7588082654f6b69ed3cf7c8840644aae5e3088d6931eda57d74b538d27036da19dd91aeebdf0e3d24064deab69561feffddfb3

    • SSDEEP

      98304:rW3ieP7d9RCpmNynH2SARHS9BmZ0oGFE3yg+4IXWmztphGEoRFDC6AlmU13t2T89:ru3QpNnH25cXXfFf40ztDcRZ1XU192eF

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      office安装助手.exe.vir

    • Size

      233KB

    • MD5

      5b7d97522d4035c4f4f4f5d92f3df931

    • SHA1

      c4dd75afa16fd91631524a6444ddbf770af807ec

    • SHA256

      c15954fdf792a0db30046a4b942c62fb356d5e6e3803149c02ff3c8741d64786

    • SHA512

      9f47cd34bd938152a7a741bb8b8bbe48e3e18365345ae02a7753149c94a0c7fa3c4abeb4606f6285c3b473dbb32f4bd88436f7fe0b45664a1deaab73cd254bbf

    • SSDEEP

      3072:ljBsj3J6/qxxxSuAk7GSnvT4Wak7GSnvT4WpZQNShYEtWN:u3vP/HkqHkrrB

    Score
    8/10

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      pdf.exe.vir

    • Size

      3KB

    • MD5

      1f53ae6118faec2c66ccc0a7229786f0

    • SHA1

      797573dc4564a054e309b66150431dc83c9981a7

    • SHA256

      3a49e2e35e719f6b5719f59af3709a9f8a6a84a9413778b5c1f9fb630461298c

    • SHA512

      c6d743267068d50cfa4bf478439f9f029046518cdfab4a4f0e03cfe5b753ba95a21c101a17beb62a6160a629be3cad265f610dccae95c48e0ec9017230b13710

    Score
    3/10
    behavioral5behavioral6

    • Target

      test.exe.vir

    • Size

      109KB

    • MD5

      efab528e438e8fcbb2e4f3f4ac93bff8

    • SHA1

      5509d3f725cb2734e8f0adee0c6d21553f5ab350

    • SHA256

      4b01d5fd17d86831f99fc06f0290d3349de527defc10413a1f740f739a8650ef

    • SHA512

      fb49f011d8aac7399f4d73b00094535a04e5d853b3c6fca9c3c4828555a1d135e1375a1dd18baae4d70535125f214b24bb9fd5da2a80e4003787dcab2fc957f7

    • SSDEEP

      1536:xcHseLfO6itnRj6ShqmM31u6QFSTaQ6STzARTTXLGsWXdj9dlwT4IC:CHseaRjt0mMlu6iYavSzA5TbW7+T4I

    Score
    1/10
    behavioral7behavioral8

    • Target

      企财险中财产基本险中第四点飞行物体及其他空中物体坠落表诉不清存在歧义.exe.vir

    • Size

      8.8MB

    • MD5

      22c8758e4a28e4817f3266e805198934

    • SHA1

      ad13ab825c9efe9c5d777ae3132dda810eec5a6c

    • SHA256

      98b65006f5ae1fd5a941bfa2a91ddeb088a064b2d2e8afee4a865eb10fb31ca3

    • SHA512

      ac26300262139b3f0293c774a89faae5e5302cd45068ecf5270067ab5ade59ae29acf5348474e39b6b07bac062ebfa6b06c64c7ef4b45f24523767d8c541ba5a

    • SSDEEP

      196608:iagpqFEQMnsz7Rj4xScZlRLHof0FWjvjdhvyo+7M:JHFEQgsXRUxblNIHjvxZy

    Score
    10/10
    cobaltstrike0666666backdoortrojanupx

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

    • Target

      截图1-8.exe.vir

    • Size

      5.2MB

    • MD5

      516d81e80766f235a182d215f35d3ba6

    • SHA1

      aa4fc0e6480de83850ea97c946d1105718279c34

    • SHA256

      71cb48149e6cce7361d7afa7bc8f18ada65013cbc429a7fe8acc5e629b908a58

    • SHA512

      da3a42c1e1d484f429c878b1278bf71d464b1b18bbff258dea356d67291ec1c7ebd2cbb965d37a0af0623d86a8c7755f2135cc4abc8fe8a5d16c3b9a2d63f597

    • SSDEEP

      98304:hknqt0a9JbMvP2aQ+AW3xqsZqwTsuaDLxmAzBcrt//svPYRA3Dyt2jc31w:hknqtdMFjsuaDL59QOX4

    Score
    8/10

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      方案D.exe.vir

    • Size

      3.1MB

    • MD5

      e7e2c5fe935a929e8834562babe4f7f0

    • SHA1

      bbd48a3bd9ecbad8758fc29fa7331352e61cae87

    • SHA256

      be60372a41152aa7913b595b509c8f41a7c829a9bb0599c86d48c2e24dfae701

    • SHA512

      99b0775785b7ce73f05745faec117970534fd8749f15390fd789370ebff0dc3e575a1fc457a6059dfd2e022356f9cb2a758aefa1f6ffadaf9d387ddeb00ba8b3

    • SSDEEP

      98304:0WWqUDFp528AeJx0d6uxcP1jStMOlHX3Z7yOvY3M5aHo9M:0W8D7Eea6uGNjSxFX3oOvYc5aHsM

    Score
    1/10
    behavioral13behavioral14

    • Target

      苏宁系统测试bug流程文档20230816.exe.vir

    • Size

      8.9MB

    • MD5

      ebe8bbb6aa0e693e2359fd50b4dbc096

    • SHA1

      4f8ce30544efab871573ac837643559abc41313d

    • SHA256

      a5946e0b44b66b2aa4cbc3d701a2a6c758e540f6aef4c4c8891a073967818ebd

    • SHA512

      1b3c9f27cc6f305f1dee04c385a7013837196c0a8f6ab9b21da6ce822cbd4f37d730259d05c5bb2b8c45fd2f9cb6b74ec3c46a79398ae1b8cf4de0dca47f79ff

    • SSDEEP

      98304:cVM30/Srtso4HAd1n60Ra/LEvljodiHyP:+v8tkgvnJa/YvljoB

    Score
    1/10
    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Tasks