Overview

overview

10

Static

static

3

rODyUVpxfY.exe

windows7-x64

10

rODyUVpxfY.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rODyUVpxfY.exe

  • Size

    1.3MB

  • Sample

    230914-3qr49afh6v

  • MD5

    5d8edb411af48165a5c7ad86b66470c3

  • SHA1

    2cd2fa06855a98d8d4ad5c75cef9f7c58fbc32aa

  • SHA256

    3d98abe8a8429aff34af70e1c0e339a1c7ee52ba1370eaf1d1856076d470ea17

  • SHA512

    9c3f9b59f27945b4ea374498cf5dc93ddb06556353bb62abf24dfd47b12434d3b5c73254eb3b78803e110fe61f7ef913f8e8ab4f28b50c9f580302f89994c584

  • SSDEEP

    24576:KQwobX+5icdw3Mz+NZ7frSegXSOAvqBknl+t:KWq5C3ye2QqBknl+t

Score
10/10
cobaltstrike100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://62.234.14.38:1443/ajax/jquery/jquery-3.6.4.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.9 Accept-Encoding: gzip, deflate Referer: http://mp.weixin.qq.com/ User-Agent: WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://62.234.14.38:1443/mp/getapp/msgext

Attributes
  • access_type

    512

  • host

    62.234.14.38,/mp/getapp/msgext

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAACFSZWZlcmVyOiBodHRwOi8vbXAud2VpeGluLnFxLmNvbS8AAAAHAAAAAAAAAAMAAAACAAAABU1ZTXp6AAAABgAAAAxYLVdlY2hhdC1VaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAhUmVmZXJlcjogaHR0cDovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAVNWU16egAAAAYAAAAMWC1XZWNoYXQtVWluAAAABwAAAAEAAAADAAAAAgAAAAhNTWRhdGE9QQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    5000

  • port_number

    1443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCHFQjnAnUbEXD+c5GiuPpC/L5pH2AnHxcutfvep6LOO4ik5oTdUI5q7KAsEzt7oUQI06rl0seBjlfZlXoAbwfbSbtvYJDKZMeDPvaY6QJRM9SYTgD+nlUiAR0qeMpbvhj68n3khnS1Cu2IS9GJpCMa7kRYn7ylraIWKBIArzaEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.532302592e+09

  • unknown2

    AAAABAAAAAIAAAADAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /mp/wapcommon/report

  • user_agent

    WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0

  • watermark

    100000

Targets

    • Target

      rODyUVpxfY.exe

    • Size

      1.3MB

    • MD5

      5d8edb411af48165a5c7ad86b66470c3

    • SHA1

      2cd2fa06855a98d8d4ad5c75cef9f7c58fbc32aa

    • SHA256

      3d98abe8a8429aff34af70e1c0e339a1c7ee52ba1370eaf1d1856076d470ea17

    • SHA512

      9c3f9b59f27945b4ea374498cf5dc93ddb06556353bb62abf24dfd47b12434d3b5c73254eb3b78803e110fe61f7ef913f8e8ab4f28b50c9f580302f89994c584

    • SSDEEP

      24576:KQwobX+5icdw3Mz+NZ7frSegXSOAvqBknl+t:KWq5C3ye2QqBknl+t

    Score
    10/10
    cobaltstrike100000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks