Overview

overview

10

Static

static

3

343e6fb182...51.exe

windows7-x64

10

343e6fb182...51.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    343e6fb182d72f925200c16a05cb9a527dfe38aa21f71d4dd88a53282313bc51

  • Size

    6.3MB

  • Sample

    231018-h9gseadf57

  • MD5

    9c221e16b44b951e754be1fa4d9b467e

  • SHA1

    271a0c057c7470003fe30659cd3b35f831587904

  • SHA256

    343e6fb182d72f925200c16a05cb9a527dfe38aa21f71d4dd88a53282313bc51

  • SHA512

    8a0591f72558a4321c35d35ed648e6216c5bd8e7b4ce42c2d8071f60dba517b2baf9d8ada864740027a15792adacd9193625d274dde7bdf8e825a8c9be93b209

  • SSDEEP

    196608:cgzWQ90xXzGneX38DXDQ9ZjFRjaO2SvZme:cgK1xQ0MDTQ9HRjaY

Score
10/10
cobaltstrikemetasploit100000backdoorpyinstallertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://124.112.238.15:1314/NSDw

Attributes
  • headers User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://124.112.238.15:1314/dot.gif

Attributes
  • access_type

    512

  • host

    124.112.238.15,/dot.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    1314

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJNePT+xvglCI7DQz7bxNzCI4VUeLx6UftmIcEnbqI2/2bFUZ+cyN8Uhj9PVb4m26Hf27S2GjMJ6HnCaWiPfeS5YtmnO6P1vR8FFaVNcylAc8oXvegYnHC2g9Z1PkR/J2kTOz066qxHWkvUPly6LmHGOQfAlopWfmvGS90I8vDlwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

  • watermark

    100000

Targets

    • Target

      343e6fb182d72f925200c16a05cb9a527dfe38aa21f71d4dd88a53282313bc51

    • Size

      6.3MB

    • MD5

      9c221e16b44b951e754be1fa4d9b467e

    • SHA1

      271a0c057c7470003fe30659cd3b35f831587904

    • SHA256

      343e6fb182d72f925200c16a05cb9a527dfe38aa21f71d4dd88a53282313bc51

    • SHA512

      8a0591f72558a4321c35d35ed648e6216c5bd8e7b4ce42c2d8071f60dba517b2baf9d8ada864740027a15792adacd9193625d274dde7bdf8e825a8c9be93b209

    • SSDEEP

      196608:cgzWQ90xXzGneX38DXDQ9ZjFRjaO2SvZme:cgK1xQ0MDTQ9HRjaY

    Score
    10/10
    cobaltstrikemetasploit100000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks