Overview

overview

10

Static

static

1

e618fbe8b2...55.exe

windows7-x64

10

e618fbe8b2...55.exe

windows10-1703-x64

10

e618fbe8b2...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    31-08-2023 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e618fbe8b24145183667669f26219ff68df703846e48ec6ab6628e6e73f47655.exe

  • Size

    9.8MB

  • MD5

    dcc1d34789c2eafa6473d17639c1c2ef

  • SHA1

    f39ae0fc6d0e4b14cfd41e1d132fd82072b0f6e0

  • SHA256

    e618fbe8b24145183667669f26219ff68df703846e48ec6ab6628e6e73f47655

  • SHA512

    6c89064e24244c7d004d5c4bd7ba6b37bd357c2561b28403d58dc73f858a45ff062fc3a16c130f4d04a6b3529c3f6dc9bfcb5c16851c19861c52c9b4d1df1089

  • SSDEEP

    196608:ADVNoP4kZIaP74en4vkh9+IQb/ZzuJ9SL2W54/OUrUf1tdWSXbu:CVNoTbj4vkh99Qbxc9MsGnf1tds

Score
10/10
cobaltstrike1234567890backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://sai0thoh.in:443/jquery-3.3.2.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:108.0) Gecko/20100101 Firefox/108.0

Extracted

Family

cobaltstrike

Botnet

1234567890

C2

http://sai0thoh.in:443/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    sai0thoh.in,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    10000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHst3s8KGq73Aa6kgobqHYxtte8le5J+ZhpExQ9p0OPLGiw5sJdvI53GaNDQ9vBnDoidrplY1e9D9+lMMeewxre0aTTh+ccrmjTsJ/P24+4EDxWqE7gLwDMJ37vO+iGzrW8bsmgNxbFaHonga+bgHFwzD7mk7jowEBU3ImKPtHywIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; rv:108.0) Gecko/20100101 Firefox/108.0

  • watermark

    1234567890

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e618fbe8b24145183667669f26219ff68df703846e48ec6ab6628e6e73f47655.exe
    "C:\Users\Admin\AppData\Local\Temp\e618fbe8b24145183667669f26219ff68df703846e48ec6ab6628e6e73f47655.exe"
    1⤵
      PID:2564
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {A911AB0D-F095-4A10-B63D-606080A104E8} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\ProgramData\Python3\python.exe
        C:\ProgramData\Python3\python.exe C:\ProgramData\Python3\src.py
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Python3\VCRUNTIME140.dll
      Filesize

      83KB

      MD5

      0c583614eb8ffb4c8c2d9e9880220f1d

      SHA1

      0b7fca03a971a0d3b0776698b51f62bca5043e4d

      SHA256

      6cadb4fef773c23b511acc8b715a084815c6e41dd8c694bc70090a97b3b03fb9

      SHA512

      79bbf50e38e358e492f24fe0923824d02f4b831336dae9572540af1ae7df162457d08de13e720f180309d537667bc1b108bdd782af84356562cca44d3e9e3b64

      Download Submit

    • C:\ProgramData\Python3\_ctypes.pyd
      Filesize

      120KB

      MD5

      f1e33a8f6f91c2ed93dc5049dd50d7b8

      SHA1

      23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

      SHA256

      9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

      SHA512

      229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

      Download Submit

    • C:\ProgramData\Python3\_socket.pyd
      Filesize

      77KB

      MD5

      d6bae4b430f349ab42553dc738699f0e

      SHA1

      7e5efc958e189c117eccef39ec16ebf00e7645a9

      SHA256

      587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef

      SHA512

      a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

      Download Submit

    • C:\ProgramData\Python3\libffi-7.dll
      Filesize

      32KB

      MD5

      4424baf6ed5340df85482fa82b857b03

      SHA1

      181b641bf21c810a486f855864cd4b8967c24c44

      SHA256

      8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

      SHA512

      8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

      Download Submit

    • C:\ProgramData\Python3\python38.dll
      Filesize

      4.0MB

      MD5

      d2a8a5e7380d5f4716016777818a32c5

      SHA1

      fb12f31d1d0758fe3e056875461186056121ed0c

      SHA256

      59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

      SHA512

      ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

      Download Submit

    • C:\ProgramData\Python3\python38.zip
      Filesize

      2.3MB

      MD5

      23d7103b88634e956ccd27e687e15fdb

      SHA1

      fddf7a1340f27518db2a77bcde494084a40daca0

      SHA256

      003042ca30fa490ea2d67fe41478a93d7908e855195ed90d66e37a019fe9e7bd

      SHA512

      40a02b66f29af951e34ee171c3c25c275bda1a486e5907cd47cea63b662a82012f45ccb9dabe6135a64a6382ab87fc040ec2e8cedd07a5f0c6539e74d5381944

      Download Submit

    • C:\ProgramData\Python3\select.pyd
      Filesize

      26KB

      MD5

      6ae54d103866aad6f58e119d27552131

      SHA1

      bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

      SHA256

      63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

      SHA512

      ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

      Download Submit

    • C:\ProgramData\Python3\src.py
      Filesize

      9KB

      MD5

      069088fcb2b1a0e121ee403ac7f49332

      SHA1

      d71beffbedafc70bcb4fef885c8b13b3a2838479

      SHA256

      dc0cee324af9d9890bd31202bb6dfa6778e13d0588eb57305e17f1a5f5552a89

      SHA512

      79cefee420c8334ae8f8abf7c89bc79bd6afccea98cd974218e54ecb73df3df278c776e71b152b4c7f86ce9975a99371c7aa4cad9477c9329978cf4fb5f98285

      Download Submit

    • C:\ProgramData\python3\python.exe
      Filesize

      97KB

      MD5

      b68275559fa9fc188fd1feef6d0d4326

      SHA1

      1a74049ec8bf2f9bca77e0504cfb24b78e447fd8

      SHA256

      1d838ad026c7d81d410f41f929225aa39f3e4a0d178e4cebc0cc2b299b783cf5

      SHA512

      d1b66d72543230afa9466eccf148d6489f983dc65d8140359c2bbdfd39ad013e4e7c94d8f19d021b5e6a70898504f57cd232eef6cefb8a007e7c71467470b10f

      Download Submit

    • \ProgramData\python3\_ctypes.pyd
      Filesize

      120KB

      MD5

      f1e33a8f6f91c2ed93dc5049dd50d7b8

      SHA1

      23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

      SHA256

      9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

      SHA512

      229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

      Download Submit

    • \ProgramData\python3\_socket.pyd
      Filesize

      77KB

      MD5

      d6bae4b430f349ab42553dc738699f0e

      SHA1

      7e5efc958e189c117eccef39ec16ebf00e7645a9

      SHA256

      587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef

      SHA512

      a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

      Download Submit

    • \ProgramData\python3\libffi-7.dll
      Filesize

      32KB

      MD5

      4424baf6ed5340df85482fa82b857b03

      SHA1

      181b641bf21c810a486f855864cd4b8967c24c44

      SHA256

      8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

      SHA512

      8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

      Download Submit

    • \ProgramData\python3\python.exe
      Filesize

      97KB

      MD5

      b68275559fa9fc188fd1feef6d0d4326

      SHA1

      1a74049ec8bf2f9bca77e0504cfb24b78e447fd8

      SHA256

      1d838ad026c7d81d410f41f929225aa39f3e4a0d178e4cebc0cc2b299b783cf5

      SHA512

      d1b66d72543230afa9466eccf148d6489f983dc65d8140359c2bbdfd39ad013e4e7c94d8f19d021b5e6a70898504f57cd232eef6cefb8a007e7c71467470b10f

      Download Submit

    • \ProgramData\python3\python38.dll
      Filesize

      4.0MB

      MD5

      d2a8a5e7380d5f4716016777818a32c5

      SHA1

      fb12f31d1d0758fe3e056875461186056121ed0c

      SHA256

      59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

      SHA512

      ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

      Download Submit

    • \ProgramData\python3\select.pyd
      Filesize

      26KB

      MD5

      6ae54d103866aad6f58e119d27552131

      SHA1

      bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

      SHA256

      63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

      SHA512

      ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

      Download Submit

    • \ProgramData\python3\vcruntime140.dll
      Filesize

      83KB

      MD5

      0c583614eb8ffb4c8c2d9e9880220f1d

      SHA1

      0b7fca03a971a0d3b0776698b51f62bca5043e4d

      SHA256

      6cadb4fef773c23b511acc8b715a084815c6e41dd8c694bc70090a97b3b03fb9

      SHA512

      79bbf50e38e358e492f24fe0923824d02f4b831336dae9572540af1ae7df162457d08de13e720f180309d537667bc1b108bdd782af84356562cca44d3e9e3b64

      Download Submit

    • memory/2564-13-0x000000013F780000-0x00000001400C1000-memory.dmp

      Filesize

      9.3MB

      Download

    • memory/2564-14-0x000000013F780000-0x00000001400C1000-memory.dmp

      Filesize

      9.3MB

      Download

    • memory/2996-32-0x0000000000950000-0x0000000000951000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2996-33-0x0000000003F40000-0x00000000043B2000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2996-34-0x0000000003B40000-0x0000000003F40000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2996-35-0x0000000003F40000-0x00000000043B2000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2996-36-0x0000000003B40000-0x0000000003F40000-memory.dmp

      Filesize

      4.0MB

      Download