Overview

overview

10

Static

static

1

Adobe Acro...12.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Adobe Acrobat Font Set 5.1.12.msi

  • Size

    844KB

  • Sample

    231116-jhqfxahe4w

  • MD5

    764a6683659731c012f317be51f78fae

  • SHA1

    d397ea3c9a83184caa5e18ed0b86104ad6575ec3

  • SHA256

    461ba29d9386de39071d8f2f7956be21fb4fa06df8dd1db6dec3da0982e42f9f

  • SHA512

    d38eee0b0b22f03dee71b55b3bd43d2ad28977bc946b62eb6f15d997e3efa804f2572fe57b928a53b8c3ba6a0ebd37664d82bff769d0e79e8e599a629ff85642

  • SSDEEP

    12288:9jtM8VQaL5Rop6DMV6hY+T0c1PCeKgJwjIfqlI1HPgsJcDOI706AnL+X2g:saN46m6yc0c1qeK7AJGdBAnL+Gg

Score
10/10
cobaltstrike12345backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

12345

C2

http://geocitesbbc.com:443/callable

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    geocitesbbc.com,/callable

  • http_header1

    AAAAEAAAABVIb3N0OiBnZW9jaXRlc2JiYy5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAHTFhHVUlEPQAAAAYAAAAGQ29va2llAAAACQAAAA9pbnRlcnJ1cHQ9ZmFsc2UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABVIb3N0OiBnZW9jaXRlc2JiYy5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAABhDb250ZW50LVR5cGU6IHRleHQvcGxhaW4AAAAHAAAAAQAAAA8AAAADAAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9984

  • polling_time

    42

  • port_number

    443

  • sc_process32

    %windir%\syswow64\w32tm.exe

  • sc_process64

    %windir%\sysnative\w32tm.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLM4J9O0m8TuhWhBdQoftl0i+1WQjhrUo8jlgb4wxjeOVKkNflC1MTu6xKTC/wBhEb0MBMChes1WKMTP1oCIqkmdBUvFpyzW8IRUXQkJ+1Bb4ynGMUd4Js14t35sbJNxhp5lRGsd0jpsQgBqby6GpXot0wRvYxp6p3oLNDY/uPywIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.025605888e+09

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /switch

  • user_agent

    Mozilla/5.0 (Linux; Android 11; CPH2127) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.74 Mobile Safari/537.36

  • watermark

    12345

Targets

    • Target

      Adobe Acrobat Font Set 5.1.12.msi

    • Size

      844KB

    • MD5

      764a6683659731c012f317be51f78fae

    • SHA1

      d397ea3c9a83184caa5e18ed0b86104ad6575ec3

    • SHA256

      461ba29d9386de39071d8f2f7956be21fb4fa06df8dd1db6dec3da0982e42f9f

    • SHA512

      d38eee0b0b22f03dee71b55b3bd43d2ad28977bc946b62eb6f15d997e3efa804f2572fe57b928a53b8c3ba6a0ebd37664d82bff769d0e79e8e599a629ff85642

    • SSDEEP

      12288:9jtM8VQaL5Rop6DMV6hY+T0c1PCeKgJwjIfqlI1HPgsJcDOI706AnL+X2g:saN46m6yc0c1qeK7AJGdBAnL+Gg

    Score
    10/10
    cobaltstrike12345backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks