cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

21X.rar
Size

37.4MB
Sample

231027-edhhaabh7v
MD5

e41ae263dbff1d5fbedd1fcd2ffacf29
SHA1

5f5472723cb5f68a96af66dac402e26df83770ae
SHA256

57316e29bbf6391f28d0c11c78b61607b9b1a4e87fb3adbb1855b8773223f0e1
SHA512

ab340addba16bd3676b756817b40e154df9725e4c86f607de233ab6cb5b847dc28571ce3177c38fa4e09a243a61d183a9fd88cb365be2537f73b9ed0f368d534
SSDEEP

786432:B0e/c/RuUIi/REZYNBhnNVD8JKXEQ8HRvllE35y7:B0d/Rt/SZEVD8kadYy7

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://www.cainiao.com:443/mp/getapp/msgext

Attributes

access_type
512
beacon_type
2048
host
www.cainiao.com,/mp/getapp/msgext
http_header1
AAAAEAAAABZIb3N0OiBuZXdhcGkud2VpYm8uY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAACFSZWZlcmVyOiBodHRwOi8vbXAud2VpeGluLnFxLmNvbS8AAAAHAAAAAAAAAAMAAAACAAAABU1ZTXp6AAAABgAAAAxYLVdlY2hhdC1VaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABZIb3N0OiBuZXdhcGkud2VpYm8uY29tAAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAoAAAAhUmVmZXJlcjogaHR0cDovL21wLndlaXhpbi5xcS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAVNWU16egAAAAYAAAAMWC1XZWNoYXQtVWluAAAABwAAAAEAAAADAAAAAgAAAAhNTWRhdGE9QQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCD/d86l8Xj9QqEpe62poRSoK8dNn6QFRLe10WufYGHU07TppYiU2koxHDn0ar2iA3kXdUohoBEX00MfKc0AkAi0q7NX7Zl8/L8iLBRsqVKDgCJAm0OoooZAfiJsgoxSly3jYSJyeTtXzPweo4BsNCXGBZrsuIuHpcVe1v+OAMdzQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.532302592e+09
unknown2
AAAABAAAAAIAAAADAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/mp/wapcommon/report
user_agent
WeChat/8.0.5.32 CFNetwork/1237 Darwin/20.4.0
watermark
100000

Targets

- Target
  
  2023.10.12.exe.vir
- Size
  
  90KB
- MD5
  
  21a8040f7c5af2ec8fbbc57467675d44
- SHA1
  
  146dcdd46879ef509f7c0b69da44885f2be05d7f
- SHA256
  
  f288f3a0cd9c65582be25f1db59ff3a37060e9e42afcb24ef243d615f228a51a
- SHA512
  
  8a7e8a3b71e921bce44bef11d109bbc67c06c46c66530a5fdcf5173ba8f305916911fdb9b864b488031eff77a43fc40679be2f5d3efdfc017dd5683236a55417
- SSDEEP
  
  1536:Tqw2luNuu69jSFlwq2rNDCkM8XiOjpNwX:TqwDNuu69SwRrNDSciOj3
Score

1^/10
behavioral1 behavioral2
- Target
  
  HipsMain.exe.vir
- Size
  
  9.0MB
- MD5
  
  4eca89b96ba84a68348f85b3a9dc03b7
- SHA1
  
  a1fd3e9093d8153b15fc1102f35c745b375ce9dc
- SHA256
  
  8df72d49778de3cc2ba9c31299f7f4a0a0a144ea4826a51b1de75d037ba2a7f7
- SHA512
  
  6170c930d76c9aca6ee9a6b4816b829677c7b303a20afc62e38fe675c7acd1e1fb8dca756c4ed44106fa1f37a99e05ebd271f78b7edddf238a3a15effd78ec32
- SSDEEP
  
  196608:ohPrc50mr2puHUHNTqICteEroXx8axG6NIyzlu8pgUN0Mi8mENps:OcKmr2pu0tTqInEroXOakuIyzlu8pja4
Score

7^/10
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  HipsMain1.exe.vir
- Size
  
  8.4MB
- MD5
  
  dc3b09a3b203597085bff5fba0c6fe3a
- SHA1
  
  1bad277e39b990c24820e2ef81ff0b7d4a80cfff
- SHA256
  
  bb14de223f20598b1aec67cdb3a06579ba74537251fb0a753ed40bac2063c2b5
- SHA512
  
  5b215002bed2774499c21a4c70661e6a5b4bc107f91a649c4820f6c473e76c548189221dc5f18dc97ef3eb3fe9f8d1e82585a419ea468a9e1bcbe4bf8f20778e
- SSDEEP
  
  196608:KUAcQ50mr2puHUHNT29onJ5hrZERw+ENFJzFcguwWA7gMjs:bAlKmr2pu0tT29c5hlERwRFJzFcgupAc
Score

7^/10
- Loads dropped DLL
behavioral5 behavioral6
- Target
  
  [local]loader.exe.vir
- Size
  
  12.1MB
- MD5
  
  ed7a6ed7c9a3264735d7d58282dbf6ee
- SHA1
  
  6e58ab251077c3ff0b59f8a8761f214f25dafc3b
- SHA256
  
  824c6fffe52727bc336ff393c4490b44f01527736e689556ff021932b9cd4fe6
- SHA512
  
  a223f25f3c1a05b84d5d8cf0aaa4bc5339b850823b8404cb052d14d9ca044886336650147722757df85b06aa42a73fd7f37b6f42f753cd73209a466b77bf0df7
- SSDEEP
  
  393216:RJlGlfOnzY9c5hlERjAdZYygtNITfZWZrtj:RDGF40EhkjAdZgtNig5j
Score

7^/10
- Loads dropped DLL
behavioral7 behavioral8
- Target
  
  [sus]aaa.exe.vir
- Size
  
  931KB
- MD5
  
  cfc57322bbf583daa8ca4b6394ef3d76
- SHA1
  
  605fbb32829efb51bafcad74bf0ef4e425003795
- SHA256
  
  a501f0e3846eac845a82efc6b084ee0bc118f385d4a9f89e60b618290cb9f439
- SHA512
  
  c4de73f6262824e6c0ad20a277918260696c765c0c23a2305f7e88b58a7d18e02508617615eb19593b98c59d631c969b200de19c55019f6d412f5025eb6e4c81
- SSDEEP
  
  24576:yyg9aJWprJRqy0wdd6DKRXpka5aPfaM9TN/uYh:yTOUrTqyLdMDgZkaM6M9ZGW
Score

10^/10

cobaltstrike 100000 backdoor trojan upx
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral10 behavioral9
- Target
  
  logsave.exe.vir
- Size
  
  6.1MB
- MD5
  
  1c1d273d8769694becc49e11115b836b
- SHA1
  
  fa922c02249d42f52b5567ebbfd80f075229f01b
- SHA256
  
  6f308020a1f664d2ed8682948782a69deba034ce5b1e51c7bc5234919c5816b3
- SHA512
  
  1f11c4e2671cdb61a4467127a492299dbfb47d53fad7db9f94767e152c82c4395ad0352d9b5534d7574702c0076027f97ae71637a94cc5b27d7056a9f6f27516
- SSDEEP
  
  196608:n29j89onJ5hrZEce9tGPqKSWaTbIAa8XH:2F89c5hlEiPNSWa3VX
Score

7^/10
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  福建省福州市闽运集团有限公司约巴定制巴士企划书.exe.vir
- Size
  
  1.8MB
- MD5
  
  4013cafa7be58a15952fd1b924c2d598
- SHA1
  
  7727b1966117978ea117483aacd70d91988f8310
- SHA256
  
  32686b4e8ceba0cf5dbceba44392024633b750920f7aaf39d8ea14a1125049db
- SHA512
  
  89798c698d7d7b9284d6d84cd1e5432d36445e23402a61604e26a3de0e2ac0ba53fa0a903fb3533bd831c73cae3a2e1f7b3706ef69ccf3441e6df08830e6f7c9
- SSDEEP
  
  24576:5n8XoKkFkS+DMIxNrSkp9PPSYCKho+KuFJOgtwDB/LkiWdpw8cPYT2q9IVzr/XFs:n+IGFDP39olEO7OdpOYKH5pvE/nqxsl
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral13 behavioral14
- Target
  
  说明书.exe.vir
- Size
  
  1.9MB
- MD5
  
  a10bf17c35e14ff2b95b2bf7f1a002d5
- SHA1
  
  c4aebc4b2697f65817631b72b8c19bb3601ae840
- SHA256
  
  5f1a4c7fce773a2c54e4e8d840d554ff0b8349639eacb9762e2fc1732d9433ec
- SHA512
  
  e74aca0b7ebb7d609d77d650ed0bfdfac7cc618ab945d3a291c8efc3505d1343e2850ae1d02b8321d49d0b9646c60fe5d1438a0505bd330e8a81729384c121bd
- SSDEEP
  
  24576:Pq8eiTqrynoLmSgmbVQ7hiP2W270WOp0dWslQQ7FAo:l2mOQ5Op0dhlQQh5
Score

1^/10
behavioral15 behavioral16

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

Loads dropped DLL

Loads dropped DLL

UPX packed file

Loads dropped DLL

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16