Overview

overview

10

Static

static

3

db3933de41...67.exe

windows7-x64

10

db3933de41...67.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67

  • Size

    2.9MB

  • Sample

    231012-fn7etsah57

  • MD5

    85c6476be64e63c21f1a96a8ea3a16da

  • SHA1

    cb79d3d425bbd38efec15e8d67eed6a914d028cb

  • SHA256

    db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67

  • SHA512

    7f8b7fa142e34ea4db447867ed1e11163f18d0314e19e3dd53aba924fff07bf412572170b039de88e304b7f8bdbce06e0e28ec19180a2a9a1ca0f977fa57fc63

  • SSDEEP

    24576:/7oI45pLDx9La1O0R40prgcOrAxbfpO+fKnLRzqFlw3lDaYP1gJgL84SvciArJ23:MI45pLV9QOW4+rrs7QmPJ23

Score
10/10
cobaltstrike1359593325backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://tesupdates.buzz:443/components/an.gif

Attributes
  • user_agent

    Host: tesupdates.buzz Accept: text/html,application/xhtml+xml,application/xml;q=0.9 accept-language: q=0.8,en-GB;q=0.7,en-US;q=0.9.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1140.31

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://us.archive-ubuntu.top:443/nv.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    us.archive-ubuntu.top,/nv.js

  • http_header1

    AAAAEAAAABtIb3N0OiB1cy5hcmNoaXZlLXVidW50dS50b3AAAAAKAAAAPUFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjkAAAAKAAAAMGFjY2VwdC1sYW5ndWFnZTogcT0wLjgsZW4tR0I7cT0wLjcsZW4tVVM7cT0wLjkuNwAAAAkAAAAJZm9ybWF0PWpzAAAABwAAAAAAAAALAAAAAwAAAAIAAAAad29vY29tbWVyY2VfaXRlbXNfaW5fY2FydD0AAAAGAAAABkNvb2tpZQAAAAkAAAAMZWNob3N0cj10cnVlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABtIb3N0OiB1cy5hcmNoaXZlLXVidW50dS50b3AAAAAKAAAAPUFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjkAAAAKAAAAMGFjY2VwdC1sYW5ndWFnZTogcT0wLjgsZW4tR0I7cT0wLjcsZW4tVVM7cT0wLjkuNwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAALAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    30000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCngHBsTBazjgWWt5R2gZCmNr5rrEBoGHNTg1x4Q/qK22njloCyKoOrE2+oJPJYMeRw89a12c58npwe3s5SFWsI1ry1d+7ftlpDtJ6OX5/48I2dKcjk/vboaU5U9T9IMWrYxQMdz04+ZuPxp/rb0rWf3rUk3ep6vn6xXA+mv7NvDQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.272630272e+09

  • unknown2

    AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /en

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1140.31

  • watermark

    1359593325

Targets

    • Target

      db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67

    • Size

      2.9MB

    • MD5

      85c6476be64e63c21f1a96a8ea3a16da

    • SHA1

      cb79d3d425bbd38efec15e8d67eed6a914d028cb

    • SHA256

      db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67

    • SHA512

      7f8b7fa142e34ea4db447867ed1e11163f18d0314e19e3dd53aba924fff07bf412572170b039de88e304b7f8bdbce06e0e28ec19180a2a9a1ca0f977fa57fc63

    • SSDEEP

      24576:/7oI45pLDx9La1O0R40prgcOrAxbfpO+fKnLRzqFlw3lDaYP1gJgL84SvciArJ23:MI45pLV9QOW4+rrs7QmPJ23

    Score
    10/10
    cobaltstrike1359593325backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks