Overview

overview

10

Static

static

3

Shelm/pad.exe

windows7-x64

10

Shelm/pad.exe

windows10-2004-x64

10

proxys.exe

windows7-x64

1

proxys.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lilyline.7z

  • Size

    2.1MB

  • Sample

    230908-nwdrgsbc93

  • MD5

    17e00d23f6a5c925cee0ad48a1c1ffb3

  • SHA1

    b5cde6b904373ade9d4645cd8196f1ce4d8348af

  • SHA256

    f7556b4f9da6ccda2a040e49a565bd079b3d7b60741e0825aea10bc5057cb425

  • SHA512

    12eed913248e3d45a40dea8820820aecadacd4fc9683bd979776750f5e0e6d1fc72551aa5e358a822bb8b813a6691b73cf4664030bcdaaab0c51c93179225b02

  • SSDEEP

    49152:5h8PLPIKRt08A5zVXgnNQKxiN6/waP7fFqZT5l4jV90Eoiwwiw0:5h8P7lDpARqQK3/xbEZT5l4j7RovwY

Score
10/10
cobaltstrike100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://home.firefoxchina.cn:80/audiencemanager.js

Attributes
  • access_type

    512

  • host

    home.firefoxchina.cn,/audiencemanager.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    30000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjEd1ZZy3zJB1ANINO0XVDAXe3oi+OWyftkzo9D4JdY27p0ox7K+n/zZ4fDt2w0xOZvJhiG67zWEpYQGOlEyZ6j+2I1GDmfiUR+jzJOVCXBvUAbCgPuuY59hzxUNk1QNfSJo30f2b4E8k8ls+H+Rc7nviDkQv2ldXvG0CIZHhIswIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.435374848e+09

  • unknown2

    AAAABAAAAAEAAAf+AAAAAgAAIUwAAAACAAAPtQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /audiencemanager-v2.js

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36

  • watermark

    100000

Targets

    • Target

      Shelm/pad.exe

    • Size

      6.6MB

    • MD5

      512f4350aee7eb50adf509008a3ad3ce

    • SHA1

      b9eb9c56289e835739447925a0c085a9849a8f53

    • SHA256

      64f7a36c01e79cd4b041e8a8607dff06d5b606d36e3dff9cfb5fffa22d14d34c

    • SHA512

      9f8fc1871545abb446e76990c02ea648f3a588e1245f9140e86199a834b49d7410907925d471a4cb255f01176dc56d9099920db8f645938c32c66810cc14f649

    • SSDEEP

      49152:hfvxdjdBT6fQ88jYf89GdJufo0HNoWzSMWPQYH09RU39h6b/tQxFezMZoRZXtSHj:bb4zEsqaMWEr8gQLACJir2wFXk/mol

    Score
    10/10
    cobaltstrike100000backdoortrojan
    behavioral1behavioral2

    • Target

      proxys.exe

    • Size

      524KB

    • MD5

      ae7bff13f258bb560515b8bc14a74886

    • SHA1

      19510d23a27aeeb06808b5904151e1b246091ed9

    • SHA256

      24642ecd754edd6cac230971f6920083e2e7d2e46f69b89115addace10927d0a

    • SHA512

      0751e6ce6e9a1deeccad2ffe9e3b1aa2ffc91f219c2e46850e2d2bd472a2eab289b16bfc6140717482cb60f5a04119a97ae53941b89a87187aea894a08d765a9

    • SSDEEP

      12288:JXL3sjP2pGFZvsJWKRW1RyY17IF3DgkExI/y8xtwURd:JXLoP2mZ0cKzBDQIXxX

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Matrix

Tasks