cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

Download.zip
Size

24.0MB
Sample

230910-rm3wsshg3y
MD5

53214de283b2887ed1d9038d2aeaa98c
SHA1

e0d7fd0b8bae74763f4844640021e7e99a288d2e
SHA256

470fa92d98853148ff13c260aa181b648744c5995b4e2c9314e342b6523ed104
SHA512

4f3da1672790fa786896283e888bba89e528622803147c7c0175ab917c2d1331e07dacabe3dc59a03f074cb3b1a509d0faf58cba5da57e108bfab92c5d73339b
SSDEEP

393216:M0GC70YsuXUJwNmnouIP5rzRXNGuWokiMRB78vEGUkRSIui2QpWrifKi3:iJ/uawQon5NgfN8vplfn3

Score

10^/10

cobaltstrike 0 100000 100000000 391144938 backdoor discovery evasion persistence pyinstaller trojan upx vmprotect

Malware Config

Extracted

Family

cobaltstrike

http://47.96.174.24:88/VmWC

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUSMSNIP)

Extracted

Family

cobaltstrike

Botnet

100000000

http://gd.cndelica.com:8443/poll

http://127.0.0.1:59275/api/console-base/cookie/govern

http://211.91.52.55:443/jquery-3.3.1.min.js

http://125.74.108.45:443/jquery-3.3.1.min.js

http://1.189.232.202:443/jquery-3.3.1.min.js

http://27.221.72.110:443/jquery-3.3.1.min.js

http://27.221.72.135:443/jquery-3.3.1.min.js

http://36.131.221.241:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
gd.cndelica.com,/poll
http_header1
AAAACgAAABpYLUN1c3RvbS1QU0s6IFtTT01FX1ZBTFVFXQAAAAcAAAAAAAAADQAAAAgAAAANAAAABQAAAAV0b2tlbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACQAAAB5hY3Rpb249R2V0RXh0ZW5zaWJpbGl0eUNvbnRleHQAAAAKAAAALUNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbjsgY2hhcnNldD11dGYtOAAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAaWC1DdXN0b20tUFNLOiBbU09NRV9WQUxVRV0AAAAHAAAAAAAAAAUAAAAFdG9rZW4AAAAHAAAAAQAAAA8AAAADAAAAAgAAABl7InZlcnNpb24iOiIyIiwicmVwb3J0IjoiAAAAAQAAAAIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
1000
port_number
8443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqzEJfhNRDTUWc4OFw6QgWMCgtZpCzf+4+RQGYwL9gNHEC7Oh+6fCB3hnfVWpvxm96OVnB0eWJt6P1aNkZxVZ+u6PuqrBRm+Ad5gbjYgujotq7rM44FsmQaZAp8fORER8oRJjuMN1AxEzkj0VjMXZ8LwkT+0lyLqjjmBsdJBcCWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.102727936e+09
unknown2
AAAABAAAAAEAAAACAAAAAgAAACMAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/upload
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
watermark
100000000

Extracted

Family

cobaltstrike

Botnet

391144938

http://38.147.172.99:443/load

http://103.214.168.86:443/ga.js

http://45.136.14.166:443/match

http://38.147.172.99:443/activity

http://134.122.167.72:443/visit.js

Attributes

access_type
512
beacon_type
2048
host
38.147.172.99,/load,103.214.168.86,/ga.js,45.136.14.166,/match,38.147.172.99,/activity,134.122.167.72,/visit.js
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAiU0VTU0lPTklEPXdxZTQ1NHdxZTJkczE1ZHM0ZHNhNWRzNAAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAjSlNFU1NJT049ZHNmNXNkNGY1ZTQ1ZmU0czY1ZDRmODU2ZTQAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5120
polling_time
3000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLkw0kvfeugTUz0AmoVb/lE4jBMEVXSscLbqsILbLQbt0gXKVpDLWmw8u+ySk1wMPysDZiC7DSLdNEhH1tUiRNZfcKoe+OYofwP8EB7AJYsu1JZzVq3wlAzazE2wGXQqZNPPrdYvJUpVw7TijKATT9RT+Pk1mxbYYZqIhx+8TpwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/index.php
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
watermark
391144938

Extracted

Family

cobaltstrike

Botnet

100000

http://47.96.174.24:88/dot.gif

Attributes

access_type
512
host
47.96.174.24,/dot.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
88
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCW2YBojWiu4JqVZa2JVdlnT/bI4tNoctW0OdnrpURu/OsCmCO+Gm50Wo6DNIWo6M6Xm7v/mZKlCe0ux9l1J3N6upyLQUsMfxMdtfXtpqrO4x2a/79CpLCD0Km4wC2aDW1rkVfQhejl4wET2kwKYDfYuZ9RSIJ3odyn+Qro7WTBAQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Targets

- Target
  
  -服务端.exe
- Size
  
  2.7MB
- MD5
  
  af090e363e79628671faf1b0a98587aa
- SHA1
  
  a331bdb7770bf09346444e7cb6fbd03ca69dfc9b
- SHA256
  
  3f2d6c9827e4532876c5efc69f4d6f7ffd51a6958515887daae51a94133733f3
- SHA512
  
  9b667be4c606b18c5ff2bba8c5c9730e225c08d458ed677d4944642632040071e2c94f03a66a244550e1224d61d99f283fc2994803501a40e03a8981946ea1f9
- SSDEEP
  
  49152:gmCSDU+UUzxovO1+fDBgah1iMKZ+Ps+j2MQQWvPD15w9K9M0PCL8F4hUBAX9Q40Q:gmCAU+UUzx0OCDBbOZ+kHHhq9NLL8e08
Score

8^/10

evasion persistence trojan upx
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Modifies WinLogon
  persistence
- An obfuscated cmd.exe command-line is typically used to evade detection.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1
- Target
  
  1.exe
- Size
  
  1.8MB
- MD5
  
  f0b3783d02decefad419810bf6129ac9
- SHA1
  
  3bb7a9c874a6faa0ff6800e3d70e8b85091dfddd
- SHA256
  
  b3ff9f6179c0221132eb6149b3aca64fcc564705972fc7253c8f6692a2742c30
- SHA512
  
  ff24f58709002b0aea3c141a369a44918bcb3b87496af289bf3e434410726ee134ecc862f3345928a4833ed309140b4893de9f4abce49572c686c994504a26d5
- SSDEEP
  
  24576:Z5Bh88DAy8j/FzfaRxeZkl0MeQn652HO255TmcSVIH06iyr2tdBnZR:HBh88kDLFm3ZVR71CIU6iPBn
Score

1^/10
behavioral2
- Target
  
  360tray.exe
- Size
  
  6.7MB
- MD5
  
  b268d708d8fdf9d2c12e318ec76000b2
- SHA1
  
  893fe2ec32f6f96473701cde5ce99a72363b48f1
- SHA256
  
  e69b1a30c0da8b2ee47f9159bea3424bbb01ab616abc913657b610b04a760556
- SHA512
  
  8515473c7f4ebb1feec78c9c99b78ed81b4b54f4f2c4ba64be56698adf0f54b3b2cb4413aafad2ea8dd2eec2681a2b6e8f9325e3d85780caa4075c8230381bc0
- SSDEEP
  
  196608:ySu78K/zj89onJ5hrZEce9tGPqKSWaTboBEBl:Lu7L/389c5hlEiPNSWa3r
Score

7^/10
- Loads dropped DLL
behavioral3
- Target
  
  Loader/专项查杀工具-信息中心20230831.exe
- Size
  
  149KB
- MD5
  
  b0a79041ffa540e33b9829633279d9fa
- SHA1
  
  f6fce0911806d282d51eb9c9de40c655ba8d8df3
- SHA256
  
  f370c6ebe338fc1d18f2acfade02cc037e64ef32756dbdf34d864df1f041fd48
- SHA512
  
  f3c6cab0d9fead95bc2fa76ee796176fa62e391b7278bb98ba29c35ca289391192c97f5c1abee0e0b9b88ff130db7ee1678d807cb73bd61731bdd0e7c35eff0a
- SSDEEP
  
  3072:Xa54/QqEmO7dDVpau8KYastPhu8CG/aHmaka:XKs3nORRpaxRul
Score

10^/10

cobaltstrike 0 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral4
- Target
  
  Microsoft.exe
- Size
  
  2.2MB
- MD5
  
  3ef79468e41ba8ddb7d9115658a86adb
- SHA1
  
  c6f1b475f672e98c0edca422a98b2ba46e3ff899
- SHA256
  
  8cf4338336a087fbb3cac54f6130c07f3aa5ba4c9a0ffc5a8f810f27b2948c56
- SHA512
  
  46676fa6577ad818f90dedc2673ed943e535bcc1f565b9430df7835ad1bfc0a82f271fd276ce865e796e3ca58fc25b78932aba63f863bc788433939aaaf84ea9
- SSDEEP
  
  24576:+3dS4QT7fhTFyzQ5OrzwkmGm2Aqc+1FhBPnBnV/93FXQJ9KUkzxt0JY2v:eChTwaOY5Gm2AonV/9H2v
Score

1^/10
behavioral5
- Target
  
  a.exe
- Size
  
  234KB
- MD5
  
  92e3146b2d255fa095717b7ef9c1ca4d
- SHA1
  
  762db1ff5e01ebf15bd98a563ac2f6302a2d2c4e
- SHA256
  
  467991df3bcf63e877e458d94c55175ece5e082b02b9fd8e17b1e24fe0238ce2
- SHA512
  
  635cf4feb05e23f97a1a27cc921bf14c1f9a16dfb3aa9a1cc0976c37126c41cc12ca7730559804cc8435987026614ee17e381ed23ca7d857f79504cda0260045
- SSDEEP
  
  3072:MGP0+Rf58fHFbDyvwATqXBt4c/nBYI2uolI6bRhvx9xhoZKpyy66UetawF:hjQftX9d/qbwEpe6Ueo
Score

1^/10
behavioral6
- Target
  
  check-2023-08-01.exe
- Size
  
  1.5MB
- MD5
  
  99dec1d62ebcac33b2d2d42017b1ab90
- SHA1
  
  8125b26437cf17e05018e1aa77534e6422bbc866
- SHA256
  
  98f34efc9f236bdd99ac8a67f0bc75bbd8bc3c24e3048f7cec8c1b98c31644cf
- SHA512
  
  e17dba14ade0677e23a4b9bd7c196b687e48e0b0e4cc831521b1d10391ab4a39b6ed1b846d8d53db4c9457fe528c5a4e5756a9681d979ffe70943ea1b80b1dde
- SSDEEP
  
  24576:yQ7o6xCWfVDcZauuO5q78a3Gyz/Gi3x6gmQ11qJFZw0ZA9FhSL:yQ7o6xCWfVDcZauuOHQ11qJFZwt/hSL
Score

1^/10
behavioral7
- Target
  
  flashcenter_install_cn.exe
- Size
  
  1015KB
- MD5
  
  3e686d37908636dedf2f5977c5d45645
- SHA1
  
  b6a30b835b632681ecc1a7c236630143a3160154
- SHA256
  
  a038a50223dc85b97103224f3bb60b8ad1e6cdfa93a026da964d554eaaef4d39
- SHA512
  
  0f8c5e1bcd1fcc7954a09aecf6f98397a4846008c3f5c8b641a43ecbd3544b2dd291a62cf8dad737d9b97252a124b3dcf9ed0665785c15e746933f651bc635d4
- SSDEEP
  
  24576:MyTFRdaAX8h4Gq/TrdCYGR23uiOU50ohfew+rSUfBLw:JTctSGcTRC1JRLpLw
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral8
- Target
  
  muyyuvd.exe
- Size
  
  1.4MB
- MD5
  
  768e4477abc5c60667290601bfe58b8e
- SHA1
  
  688c99ef523cff22a20bfe70b1a9d3855669ea21
- SHA256
  
  e7c87b0791bdb4f723af07d7b6c8dd79c3d9e1667f7ff6ad271665f3755d6ab8
- SHA512
  
  1c57a8671dd4623d434116c875c63b31df123896cd6e00d7d8daa8c4d9c9bf09d085f06f62c302a7b2a8ab08520d9bf49062e824e6b3420f75893f13b18284cc
- SSDEEP
  
  12288:kTeEBQDPeK6zp48Tm9yLogwL8soAsgp8R3D0kUodp3nBigg/vwr2I4TgV:QehDPh6XoyEgGEARpvtoPx8Sg
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral9
- Target
  
  pdf安装.exe
- Size
  
  17KB
- MD5
  
  9db3212ef37dfb08386ed0f14ee5cf0a
- SHA1
  
  98fa740b89cc81aeeeae56aa402c8e6abe556aff
- SHA256
  
  f23dabb76523c6610b09cfa630957348c3c9f27ea083e7d5446713bd3967a5d3
- SHA512
  
  91d97ce12981906b86d84b30a2b7fc1118fbe8ee7610b37aa636bed94b14a4b6119bec38a29a6e8641aa0bb22a82d3f2b5af420b95d3a2a55f694a5237f46c25
- SSDEEP
  
  192:VbFMsPYyAFuofTGqLa1TsZdpCB+o2VM176ZK5Id8r/Xn/AS+szlfNFveTplCc9e:VRMAYld9ZWwVMJ4Sr/P1lfNF4pkc9e
Score

1^/10
behavioral10
- Target
  
  东方有线网络有限公司岗位调整通知.exe
- Size
  
  4.0MB
- MD5
  
  b30d1506521c913c0aaf563a58e844fa
- SHA1
  
  fcb1248a038c2c940b906ea8db96842bcd69c435
- SHA256
  
  953f0a446db98a7bed8118dc7cdd79e2e3bde26f4875b5975bfa5d5ec6714737
- SHA512
  
  faa1ddbb5e349de8c8bf8b0fada9dc877a6ce2e2c167086e56a3c98bc6ad1b0d156a58fe3c29293cacf9ce434c84cf530994df757e07cf09bdab71cffd994f30
- SSDEEP
  
  49152:HLrQm0frb/TDvO90d7HjmAFd4A64nsfJXZqbzFeKLAPGU9U+pkNBgtGst/65rVgZ:+A
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral11
- Target
  
  关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
- Size
  
  6.3MB
- MD5
  
  2fe3e6577f98084a36281d133c18c421
- SHA1
  
  a1919c3dbeca2d7b9863d7ca444c52c92dcb2a8d
- SHA256
  
  aedf61c285b9ea63f61d788f997d5b316e5ea217ca1e193f9db1d58d7fc614fb
- SHA512
  
  2b3dac0e1fef85fee49a7b665ed9ef5985760ea717e1c475d1d86cd5a212b5e35de4cf8edfd235196224352c5338e5bada5b19b541a795a35c8909c800c35db2
- SSDEEP
  
  49152:qkev1cjXHrb/T7vO90d7HjmAFd4A64nsfJc3MInicrIDRnW4pSXny1bSV5X1o63R:bjX/HicrG3br6iFnEVp+8/2tk
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral12
- Target
  
  国家电网有限公司企业负责人收入情况.exe
- Size
  
  826KB
- MD5
  
  0cca261d04da399c982b7cfb9782949d
- SHA1
  
  abc3592bc8e3106216c5fe1e9cb210f4f003eebe
- SHA256
  
  4d4eb532a1c9589d62709912df86386794d174b4b62b26406a4f6f325f41ffb6
- SHA512
  
  6733881010676dccf9b9408ef3303bbd681b88e0d2f2582857126e2a4f1c1aef39cb414d5e227721c7d3d23b96ce823b89b948d5704358c8fca8816a921e6984
- SSDEEP
  
  24576:7zyE+cC6ef3u4kvNqOcT35k/slCdewxt:7b+P5+flqOcDqUIJ
Score

7^/10
- Executes dropped EXE
behavioral13
- Target
  
  广东省海洋综合执法辅助人员管理暂行规定的意见.exe
- Size
  
  2.9MB
- MD5
  
  328894184f6c03103f4ec74ebdb1da33
- SHA1
  
  b0b78411b73844e42366db63b88eead196b17791
- SHA256
  
  eb70ebcf049eacb788867088e0234230651bb91b6a22ec4631b39c1c5b3ab435
- SHA512
  
  5a4a026e9c63e805e184cf58da59f90bf238a1039d16a014d89e76f26fdde7dfe19ddc2888b77b8d36f76e70032f0bf71f05f32bc5684d355a700b4ce22bbf3f
- SSDEEP
  
  49152:UP1Y0klK+qf0tb+Xj9eokhBW9NNg3AJQ6iSLoKUtyAA8vj6P6MVw1+44BffHnSXR:uEHFD6DLoKYyb8uVw8pdPSXVsq4E
Score

10^/10

cobaltstrike 100000000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral14
- Target
  
  广东省统计局智能普查代码API信息-20230907.exe
- Size
  
  298KB
- MD5
  
  7064c19cf881943337c3db937b26d0fc
- SHA1
  
  3a103fd5fb66864b3959a64207051a9aca820736
- SHA256
  
  e7ff5500d4ff19131f320072f81573a709e25eeeaded913631f7f4b36be98d14
- SHA512
  
  c0cca4c2f175a3034b7b56f9fb26ae45711a0cae67e31ec6e45b952edf62bad615e2b9cf2cfa7e13fb637298697d2a6d1a0170fc82a1aa34e9c7d4eeecfc36da
- SSDEEP
  
  6144:3NTqter/4fl6UOr7oUMAD7J4ae8eefV1mvytA5ZUIVeqN5g+Kv:3NTPQfm35M+lhpFOSA5KIAqr4
Score

1^/10
behavioral15
- Target
  
  录屏精灵-小方app-录制.com
- Size
  
  4.8MB
- MD5
  
  6db9e2872b1d3d218bed5f6042d45af6
- SHA1
  
  d819c902901196ae243c2044373e17791fe30048
- SHA256
  
  647347d2c84696af6018d43cf1b70fc39dfe4a1fbf5850918fb493d2b494042b
- SHA512
  
  deab612fb5311c65d68725942a32ce56a000577b758f131a4c0fb778e1de9f9e908a7cb2352c538a46dcc98ef37167eab7dd03c791359bed02963541029a2eeb
- SSDEEP
  
  98304:0PSfOFkEACaDWJ4Rwy/QYVxF1NXZRc6k4zBcrt//svPYRA3Dyt2jc31:0PSf4uD4y/QYVxF1NXZRc6kS9QOX4
Score

7^/10
- Executes dropped EXE
behavioral16
- Target
  
  火绒网络连接查询.exe
- Size
  
  2.6MB
- MD5
  
  6778f3dced1c151403900b0476611639
- SHA1
  
  9b60b0601e269628115ea851cd09e1f79c7b0bdb
- SHA256
  
  8debfe89f386834fc0553e65c3b827fc15bb96fc0c329058f818fe0db48dc624
- SHA512
  
  15187f442a7814af816d5d8aee6f663cf2fa006705dd4ebdb3a960d83065ebc1870370074f8168a9c65f5ca970c57b525ea5aa0462627d8e1d0454f457b3e72d
- SSDEEP
  
  49152:SFXWYr6RKkRu97UW+OSmdjlTCTYaBDV2VO:MXV+DOS5P2VO
Score

10^/10

cobaltstrike 391144938 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Modifies WinLogon

An obfuscated cmd.exe command-line is typically used to evade detection.

AutoIT Executable

Drops file in System32 directory

Loads dropped DLL

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Cobaltstrike

Process spawned unexpected child process

Checks computer location settings

Executes dropped EXE

Cobaltstrike

Executes dropped EXE

Cobaltstrike

Enumerates connected drives

Executes dropped EXE

Cobaltstrike

Checks computer location settings

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17