Overview

overview

10

Static

static

3

5c0b2dbb42...ec.exe

windows7-x64

10

5c0b2dbb42...ec.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5c0b2dbb42ddedd4e4d0c6d1011a585566aa0f7b118a85611c1e5f1eb94ad3ec

  • Size

    73KB

  • Sample

    230922-rbmqfaad28

  • MD5

    88a11fbc99c2dce851430cd93257e967

  • SHA1

    80aca3436274e5cbe64453531f16692d6c2b016e

  • SHA256

    5c0b2dbb42ddedd4e4d0c6d1011a585566aa0f7b118a85611c1e5f1eb94ad3ec

  • SHA512

    02fe97048a0b62e8f060d750ad0c3c24fdf23e9ae7c620e1aed9cffcfa3b4f2a5cf1a9894e3dd3b1624049b64b836886dddc964c6546c0d88a7fa5626d99efc4

  • SSDEEP

    768:WvB41cktnhe2QNlhi5jXuwHCM/Xdcu748SSSSSSSSSfw:O21ckfeJNji9XuSCM/Na8SSSSSSSSSY

Score
10/10
cobaltstrikemetasploit1234567890backdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://files.jslibc.com:443/jquery-3.3.1.slim.min.js

Extracted

Family

cobaltstrike

Botnet

1234567890

C2

http://files.jslibc.com:443/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    files.jslibc.com,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    45000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCh7/UOtyOgbc5pWVJf3WT9Bj7Ovio5EVE40BSrvw7OSte1hww8+3BipVqPgUPoRr9Tjf/03mbLRUwLBHlbWY/OCC4bjowGmJgJUC/lVwksmwwOwcADNcwuyjb217ZPd2LculXIgvwqe4U+So+2xROfSYi3/AFd/Lomec55/kzq9wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko

  • watermark

    1234567890

Targets

    • Target

      5c0b2dbb42ddedd4e4d0c6d1011a585566aa0f7b118a85611c1e5f1eb94ad3ec

    • Size

      73KB

    • MD5

      88a11fbc99c2dce851430cd93257e967

    • SHA1

      80aca3436274e5cbe64453531f16692d6c2b016e

    • SHA256

      5c0b2dbb42ddedd4e4d0c6d1011a585566aa0f7b118a85611c1e5f1eb94ad3ec

    • SHA512

      02fe97048a0b62e8f060d750ad0c3c24fdf23e9ae7c620e1aed9cffcfa3b4f2a5cf1a9894e3dd3b1624049b64b836886dddc964c6546c0d88a7fa5626d99efc4

    • SSDEEP

      768:WvB41cktnhe2QNlhi5jXuwHCM/Xdcu748SSSSSSSSSfw:O21ckfeJNji9XuSCM/Na8SSSSSSSSSY

    Score
    10/10
    cobaltstrikemetasploit1234567890backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks