cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

Download.rar
Size

8.8MB
Sample

230908-ntt1pabc65
MD5

8aa9b6dabf4ace7d9ea77994c0992c65
SHA1

7c20ac0838aff031ec9297453f2f0afdca3ce709
SHA256

1531a158dcb1c98da90e4625671d1cec0a838f1ec00ccee27013e9758e28cde8
SHA512

540981d058bfb0ed722ddda2b5f104103c0f3c0916b0ef331e5ae23740e0b0a5fc7e3435b7749a5df93af4776ec3a06b8b3c82e0b3f6bc53a749c2f8c81556cf
SSDEEP

196608:4nlfKdNA/wZeMdZ84gV8KA40mbf2cUoLUvP+jO5LfYyJeCHab1:4lfiNvdZ7Q8j40mKcUoLUvPtYfb

Score

10^/10

cobaltstrike 0 100000 100000000 391144938 backdoor evasion persistence trojan upx vmprotect

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

http://127.0.0.1:59275/api/console-base/cookie/govern

http://211.91.52.55:443/jquery-3.3.1.min.js

http://125.74.108.45:443/jquery-3.3.1.min.js

http://1.189.232.202:443/jquery-3.3.1.min.js

http://27.221.72.110:443/jquery-3.3.1.min.js

http://27.221.72.135:443/jquery-3.3.1.min.js

http://36.131.221.241:443/jquery-3.3.1.min.js

Attributes

access_type
512
host
127.0.0.1,/api/console-base/cookie/govern
http_header1
AAAABwAAAAAAAAADAAAAAgAAAAZ0ZnN0az0AAAAGAAAABkNvb2tpZQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAIFgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0AAAAEAAAABRIb3N0OiB3d3cuYWxpeXVuLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9qc29uAAAACgAAACBYLVJlcXVlc3RlZC1XaXRoOiBYTUxIdHRwUmVxdWVzdAAAABAAAAAUSG9zdDogd3d3LmFsaXl1bi5jb20AAAAHAAAAAAAAAAUAAAACc24AAAAHAAAAAQAAAAMAAAACAAAACXsiZGF0YSI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
7680
polling_time
10000
port_number
59275
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdpAYA5H5g4ejTK5FDPl3lTprxaVRmAdHRhhySdWVyUL3fbRg31HvlIelS8NH2TyPNZILZjxcNr/SuqkI13T0rVcP67mV7hTI3JnCzvT7pTyXh4Hh2X/WqMyiIBv0ay+Vu3Fv7HKlkJk5l2Syzo06cslDE13bWcPMFWdgakdny7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.66652032e+09
unknown2
AAAABAAAAAEAAAACAAAAAgAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/rest/componentPush.rules
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.08.911.59 Safari/537.36
watermark
100000000

Extracted

Family

cobaltstrike

http://47.96.174.24:88/VmWC

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUSMSNIP)

Extracted

Family

cobaltstrike

Botnet

391144938

http://38.147.172.99:443/load

http://103.214.168.86:443/ga.js

http://45.136.14.166:443/match

http://38.147.172.99:443/activity

http://134.122.167.72:443/visit.js

Attributes

access_type
512
beacon_type
2048
host
38.147.172.99,/load,103.214.168.86,/ga.js,45.136.14.166,/match,38.147.172.99,/activity,134.122.167.72,/visit.js
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAiU0VTU0lPTklEPXdxZTQ1NHdxZTJkczE1ZHM0ZHNhNWRzNAAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAjSlNFU1NJT049ZHNmNXNkNGY1ZTQ1ZmU0czY1ZDRmODU2ZTQAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5120
polling_time
3000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLkw0kvfeugTUz0AmoVb/lE4jBMEVXSscLbqsILbLQbt0gXKVpDLWmw8u+ySk1wMPysDZiC7DSLdNEhH1tUiRNZfcKoe+OYofwP8EB7AJYsu1JZzVq3wlAzazE2wGXQqZNPPrdYvJUpVw7TijKATT9RT+Pk1mxbYYZqIhx+8TpwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/index.php
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
watermark
391144938

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Extracted

Family

cobaltstrike

Botnet

100000

http://47.96.174.24:88/dot.gif

Attributes

access_type
512
host
47.96.174.24,/dot.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
88
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCW2YBojWiu4JqVZa2JVdlnT/bI4tNoctW0OdnrpURu/OsCmCO+Gm50Wo6DNIWo6M6Xm7v/mZKlCe0ux9l1J3N6upyLQUsMfxMdtfXtpqrO4x2a/79CpLCD0Km4wC2aDW1rkVfQhejl4wET2kwKYDfYuZ9RSIJ3odyn+Qro7WTBAQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
watermark
100000

Targets

- Target
  
  Download/-服务端.exe
- Size
  
  2.7MB
- MD5
  
  af090e363e79628671faf1b0a98587aa
- SHA1
  
  a331bdb7770bf09346444e7cb6fbd03ca69dfc9b
- SHA256
  
  3f2d6c9827e4532876c5efc69f4d6f7ffd51a6958515887daae51a94133733f3
- SHA512
  
  9b667be4c606b18c5ff2bba8c5c9730e225c08d458ed677d4944642632040071e2c94f03a66a244550e1224d61d99f283fc2994803501a40e03a8981946ea1f9
- SSDEEP
  
  49152:gmCSDU+UUzxovO1+fDBgah1iMKZ+Ps+j2MQQWvPD15w9K9M0PCL8F4hUBAX9Q40Q:gmCAU+UUzx0OCDBbOZ+kHHhq9NLL8e08
Score

8^/10

evasion persistence trojan upx
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  Download/1.exe
- Size
  
  1.8MB
- MD5
  
  f0b3783d02decefad419810bf6129ac9
- SHA1
  
  3bb7a9c874a6faa0ff6800e3d70e8b85091dfddd
- SHA256
  
  b3ff9f6179c0221132eb6149b3aca64fcc564705972fc7253c8f6692a2742c30
- SHA512
  
  ff24f58709002b0aea3c141a369a44918bcb3b87496af289bf3e434410726ee134ecc862f3345928a4833ed309140b4893de9f4abce49572c686c994504a26d5
- SSDEEP
  
  24576:Z5Bh88DAy8j/FzfaRxeZkl0MeQn652HO255TmcSVIH06iyr2tdBnZR:HBh88kDLFm3ZVR71CIU6iPBn
Score

1^/10
behavioral3 behavioral4
- Target
  
  Download/Loader/专项查杀工具-信息中心20230831.exe
- Size
  
  149KB
- MD5
  
  b0a79041ffa540e33b9829633279d9fa
- SHA1
  
  f6fce0911806d282d51eb9c9de40c655ba8d8df3
- SHA256
  
  f370c6ebe338fc1d18f2acfade02cc037e64ef32756dbdf34d864df1f041fd48
- SHA512
  
  f3c6cab0d9fead95bc2fa76ee796176fa62e391b7278bb98ba29c35ca289391192c97f5c1abee0e0b9b88ff130db7ee1678d807cb73bd61731bdd0e7c35eff0a
- SSDEEP
  
  3072:Xa54/QqEmO7dDVpau8KYastPhu8CG/aHmaka:XKs3nORRpaxRul
Score

10^/10

cobaltstrike 0 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral5 behavioral6
- Target
  
  Download/muyyuvd.exe
- Size
  
  1.4MB
- MD5
  
  768e4477abc5c60667290601bfe58b8e
- SHA1
  
  688c99ef523cff22a20bfe70b1a9d3855669ea21
- SHA256
  
  e7c87b0791bdb4f723af07d7b6c8dd79c3d9e1667f7ff6ad271665f3755d6ab8
- SHA512
  
  1c57a8671dd4623d434116c875c63b31df123896cd6e00d7d8daa8c4d9c9bf09d085f06f62c302a7b2a8ab08520d9bf49062e824e6b3420f75893f13b18284cc
- SSDEEP
  
  12288:kTeEBQDPeK6zp48Tm9yLogwL8soAsgp8R3D0kUodp3nBigg/vwr2I4TgV:QehDPh6XoyEgGEARpvtoPx8Sg
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  Download/关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
- Size
  
  6.3MB
- MD5
  
  2fe3e6577f98084a36281d133c18c421
- SHA1
  
  a1919c3dbeca2d7b9863d7ca444c52c92dcb2a8d
- SHA256
  
  aedf61c285b9ea63f61d788f997d5b316e5ea217ca1e193f9db1d58d7fc614fb
- SHA512
  
  2b3dac0e1fef85fee49a7b665ed9ef5985760ea717e1c475d1d86cd5a212b5e35de4cf8edfd235196224352c5338e5bada5b19b541a795a35c8909c800c35db2
- SSDEEP
  
  49152:qkev1cjXHrb/T7vO90d7HjmAFd4A64nsfJc3MInicrIDRnW4pSXny1bSV5X1o63R:bjX/HicrG3br6iFnEVp+8/2tk
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral10 behavioral9
- Target
  
  Download/广东省海洋综合执法辅助人员管理暂行规定的意见.exe
- Size
  
  2.9MB
- MD5
  
  328894184f6c03103f4ec74ebdb1da33
- SHA1
  
  b0b78411b73844e42366db63b88eead196b17791
- SHA256
  
  eb70ebcf049eacb788867088e0234230651bb91b6a22ec4631b39c1c5b3ab435
- SHA512
  
  5a4a026e9c63e805e184cf58da59f90bf238a1039d16a014d89e76f26fdde7dfe19ddc2888b77b8d36f76e70032f0bf71f05f32bc5684d355a700b4ce22bbf3f
- SSDEEP
  
  49152:UP1Y0klK+qf0tb+Xj9eokhBW9NNg3AJQ6iSLoKUtyAA8vj6P6MVw1+44BffHnSXR:uEHFD6DLoKYyb8uVw8pdPSXVsq4E
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral11 behavioral12
- Target
  
  Download/火绒网络连接查询.exe
- Size
  
  2.6MB
- MD5
  
  6778f3dced1c151403900b0476611639
- SHA1
  
  9b60b0601e269628115ea851cd09e1f79c7b0bdb
- SHA256
  
  8debfe89f386834fc0553e65c3b827fc15bb96fc0c329058f818fe0db48dc624
- SHA512
  
  15187f442a7814af816d5d8aee6f663cf2fa006705dd4ebdb3a960d83065ebc1870370074f8168a9c65f5ca970c57b525ea5aa0462627d8e1d0454f457b3e72d
- SSDEEP
  
  49152:SFXWYr6RKkRu97UW+OSmdjlTCTYaBDV2VO:MXV+DOS5P2VO
Score

10^/10

cobaltstrike 391144938 backdoor trojan 0
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral13 behavioral14