Overview

overview

10

Static

static

3

fc815124dc...09.exe

windows7-x64

10

fc815124dc...09.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409

  • Size

    1.8MB

  • Sample

    231013-dgqgmabg3v

  • MD5

    41b00fa23fb3b79db9203028ea9d03d4

  • SHA1

    2bf0aedc99774acdff729b757ec057480cc004d3

  • SHA256

    fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409

  • SHA512

    b4cacc9b3bef3a40335263ef24b49026f8b68e83fd685f6c5e397d2ee6846ea437fdca8888ef1677464d3c6026cd53c5fe1ddd0e1e4f36d4b565779c1881202d

  • SSDEEP

    24576:LcGviP2CcmpREm3Tpj7juvMuY179aA82wlvCxVaIr7Fq5sMxn8ZiF35M8KD1vPl:L0rgDSw+sxPA8KD11

Score
10/10
cobaltstrike100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://cache.jquerysource.co:443/jquery-3.3.0.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    cache.jquerysource.co,/jquery-3.3.0.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAlUmVmZXJlcjogaHR0cHM6Ly9yZWxlYXNlcy5qcXVlcnkuY29tLwAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAkUmVmZXJlcjogaHR0cDovL3JlbGVhc2VzLmpxdWVyeS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    10000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmQEPSLVuoOihACFPRnPSA3ftXYZ5SROYUUuItwE4kyXr+Bf8AXVqBnXaGIG9WpHAq9W+MzS6EhuMVG3U2Od8d77hCK6QAEFRCBiVHE5/jyjCR0FbJyrmVm1Uzbfqae2vVQ+HwGRFQhdwFvj7upXuaEZmO+D0S5U7Rfo3p7eNozQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.16770176e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFMAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.1.min.js

  • user_agent

    Mozilla/5.0 (Windows NT) AppleWebKit/537.36 (KHTML, like Gecko, Efficiently) Safari/537.36

  • watermark

    100000

Targets

    • Target

      fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409

    • Size

      1.8MB

    • MD5

      41b00fa23fb3b79db9203028ea9d03d4

    • SHA1

      2bf0aedc99774acdff729b757ec057480cc004d3

    • SHA256

      fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409

    • SHA512

      b4cacc9b3bef3a40335263ef24b49026f8b68e83fd685f6c5e397d2ee6846ea437fdca8888ef1677464d3c6026cd53c5fe1ddd0e1e4f36d4b565779c1881202d

    • SSDEEP

      24576:LcGviP2CcmpREm3Tpj7juvMuY179aA82wlvCxVaIr7Fq5sMxn8ZiF35M8KD1vPl:L0rgDSw+sxPA8KD11

    Score
    10/10
    cobaltstrike100000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks