Behavioral task
behavioral1
Sample
2d0574b450ec583d5f3156d3282aab9f0613aed62d1b5c2cc051e5bd8f55a640.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2d0574b450ec583d5f3156d3282aab9f0613aed62d1b5c2cc051e5bd8f55a640.exe
Resource
win10v2004-20230915-en
General
-
Target
2d0574b450ec583d5f3156d3282aab9f0613aed62d1b5c2cc051e5bd8f55a640
-
Size
62KB
-
MD5
877d4d46aa15868f525d4c3c89636d07
-
SHA1
ce623c1c24c8dd41ba4653727ff2c783f49626ca
-
SHA256
2d0574b450ec583d5f3156d3282aab9f0613aed62d1b5c2cc051e5bd8f55a640
-
SHA512
62fc65ef5ea48b8485e39e13eaada6b5a76c7f1a073efb297bbf05fa0fb7e959122db36f3f8143e89a47fbb586947a26ebae9c0f3cf0d7cdfcd4024f97d4ef82
-
SSDEEP
384:9apJjipSnHy/Xg0eTsrOaytGLI3WNIhFhcuLg+snWGbH/monADQfBycqCzPA89X+:AH10L7yMIDhXFgbnXBrA89
Malware Config
Extracted
cobaltstrike
http://101.43.164.21:80/dnV5
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)
Signatures
-
Cobaltstrike family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 2d0574b450ec583d5f3156d3282aab9f0613aed62d1b5c2cc051e5bd8f55a640
Files
-
2d0574b450ec583d5f3156d3282aab9f0613aed62d1b5c2cc051e5bd8f55a640.exe windows:6 windows x64
8857ab4ffcd7a4ae41d92425862b5f3e
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
kernel32
HeapCreate
HeapAlloc
FreeLibrary
VirtualQuery
GetProcessHeap
HeapFree
GetLastError
GetModuleHandleW
GetStartupInfoW
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WideCharToMultiByte
MultiByteToWideChar
RaiseException
IsDebuggerPresent
GetCurrentThreadId
GetProcAddress
vcruntime140d
__C_specific_handler_noexcept
__std_type_info_destroy_list
__current_exception
__current_exception_context
__vcrt_GetModuleFileNameW
__vcrt_GetModuleHandleW
__vcrt_LoadLibraryExW
__C_specific_handler
memcpy
ucrtbased
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_crt_at_quick_exit
terminate
_wmakepath_s
_wsplitpath_s
wcscpy_s
__p___argc
strcat_s
_exit
exit
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
__setusermatherr
_set_app_type
_seh_filter_exe
_CrtDbgReportW
_CrtDbgReport
_seh_filter_dll
strcpy_s
__p__commode
_set_new_mode
_configthreadlocale
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
_set_fmode
__p___argv
__stdio_common_vsprintf_s
Sections
.textbss Size: - Virtual size: 64KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.text Size: 32KB - Virtual size: 31KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 12KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.idata Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.msvcjmc Size: 512B - Virtual size: 451B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.00cfg Size: 512B - Virtual size: 373B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1024B - Virtual size: 623B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ