cobaltstrike

Sharing

Copy URL

Twitter E-mail

General

Target

19X.rar
Size

17.7MB
Sample

231116-jjkl2sgb83
MD5

703e04361ca1e3a3f50c519dc72969df
SHA1

515ec03934a9731c157367092935eed3cb22570e
SHA256

b6fbd300520e46f761b778cfc7595b43db385c79a1d7e4c4ce40e782f78a1c01
SHA512

74faa807deb7e03ad5f22244cd7556b0d7c3e22efb90bdad61590581128e6e3062b461af150bcac4ee7c638c1369ed5ea2a6a881d9c258ad76220d9c63f48ce4
SSDEEP

393216:xFYpkGpGjixj+wg6DfEqVYpFgKeZVzjJfNCVFZyxze3z8Gpmc4:TwX/Z+qDcqCngKe73DCVFoxz+zLpy

Score

10^/10

cobaltstrike 0 100000 987654321 backdoor evasion themida trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://23.105.197.219:4433/dpixel

http://service-ho26i50l-1306669097.bj.apigw.tencentcs.com:443/assets/code-3d7b701fc6eb.css

http://45.32.26.214:443/IE9CompatViewList.xml

Attributes

access_type
512
beacon_type
2048
host
23.105.197.219,/dpixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
4433
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDohWpPN9dK5Iaq3j5MARwhwXxMD+LZJY92SEg755tH3cbGJDwjAjae+Cq14PUO5w33EpPbdmLoEfwZmXv2Zz/AYj0O8mNmRw35sEPhPXGKj1Snqz4qS1EVBYgJOSMLEUCg7LBwHQtvsGnoZjszjkVqf9Hi9INcnBF8qLyh4JrKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Extracted

Family

cobaltstrike

http://45.32.26.214:443/qMTK

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 2.0.50727)

Extracted

Family

cobaltstrike

Botnet

987654321

http://101.33.196.232:50080/g.pixel

Attributes

access_type
512
host
101.33.196.232,/g.pixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
50080
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFvNsNMz+wjKBz8+fAbCDfp8OlTq80fRxt9K0GPS+NksQsIwJiMrpPyqCNkV7e6Kp6zhlRcnnSXF3CCQZabTqKzy2MPrgzrN5u2Ck1hcKZD78r0xc++4DlyY0vT2LVPG93cZ6NUzP5libC1qkHsgFZiiLso8zMNvSje5hQk2hBMQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)
watermark
987654321

Targets

- Target
  
  2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe.vir
- Size
  
  3.8MB
- MD5
  
  f8b1ed547729841918abbea9d2dedb55
- SHA1
  
  d35a443f87abae38de4980e2a83762a6619ec183
- SHA256
  
  8ccf7db0910464d7424b2d2d7366838d6dfc71f9de474d96b05275b1ae97d290
- SHA512
  
  27a579794d59a6cbd8391e1f785f0e93b6f87f8fad6937cac908a87422eff9f33a40b069eb74d4556565425bad1d1b0e83f0cc220cf34f0b99a5faece5daff38
- SSDEEP
  
  98304:GgqM4j53BslobUytMfeUUzeeQY+fSOs0B4/:GQo3BXbUSXzdQP0B
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2
- Target
  
  Due invoices Mazaya_pdf_pdf.vbe.vir
- Size
  
  253KB
- MD5
  
  3919f2651d3a2150d2b0f4a524a21d4d
- SHA1
  
  73afa41f4077944a60cabb33039c0b2b53beaa19
- SHA256
  
  65483583f447318ebd71f370c19ac7a6b17bf6a88519d6bc0c8ed364e4c8c4af
- SHA512
  
  51e2cfb4dc884a6b95688290842781584294123f60ea725b2e1e9f38ad9c927f86c753958708889b44e015479188edcf649ac03302aa4f93066aa2f4559c2905
- SSDEEP
  
  6144:yim4VdU4dGdvf7ctWjc+wHRGUTAmyRFnc+Jg1m8mLIxCH:yyyjRtYtmiCH
Score

1^/10
behavioral3 behavioral4
- Target
  
  tools-读取浏览器敏感信息.exe.vir
- Size
  
  2.7MB
- MD5
  
  18a10beb3838795efe07c622dc8f8f03
- SHA1
  
  81ec86eb1739e62c7b53e18e63d30f38389c442e
- SHA256
  
  17f271033078f2f2eece8eee32675ce6c1c8daf46fff03c7b0d533ff0eea04db
- SHA512
  
  8d9d8b80b6a60531b5df0e162fbf8ecb02ebe97ce011ce6c130d1afa3dcee7e4833467995855e459a4e7ab83fb9727ee6c43629f4afe328ee4ec31186080ec7f
- SSDEEP
  
  24576:WA/6cfDiOoLAERYdIfkYRiP1mxgZJeNAPT6mCVo2007Uef5JGKRnT1ivjx637DI5:WANDiOoLxYdI7ksWy9egRfcYt
Score

10^/10

cobaltstrike 987654321 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral5 behavioral6
- Target
  
  信息收集模板.scr.vir
- Size
  
  50KB
- MD5
  
  49fabc0fad474cee7e352548ff0ca4e2
- SHA1
  
  03715013403f35a45e58f19c29f13ed007f7521e
- SHA256
  
  b5555ceee159bce03bbe42fe99ce0266908431aef6aca5a3dc84b54ac141972b
- SHA512
  
  3673da807e816c470365a466f628d82ac5f3ef25efa49acdcf66bdd5048a8ed5595aea04d0d30f809780e993a79c82e5493475494a28ffd602405b5fa8b7ef25
- SSDEEP
  
  768:PsCV043oy9FnDaVzDubBeuiP3CYO+eNfcF4Soker6qQ4HyWOPHxT+scX2v:PsCV0O3D6uUuHYOjNfcqJgqxOZcG
Score

10^/10

cobaltstrike 0 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral7 behavioral8
- Target
  
  公司资料.exe.vir
- Size
  
  3.8MB
- MD5
  
  dc2e923303897fb5004c34693dc2eb74
- SHA1
  
  92006b30ecda6a1c091d9f7f8a4c1f060f3b9188
- SHA256
  
  6cb75a4a8d2dbfaca87e837cf411fde1bb5b0cffd9a09f5e8bb077d9b385a446
- SHA512
  
  606f67640ad9be15b4275f409b430c476150219bee941a69adf4519dc229cbcd6ea20e71bff8be9204916682731941e0c315d1421dc115115cc1ae78bc32e807
- SSDEEP
  
  98304:GgqM4j53BslobUytMfeUUzeeQY+PSOs0/4lf:GQo3BXbUSXzdQ/0Nf
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral10 behavioral9
- Target
  
  安全检查资产上报收集表-20231103-___xlsx.scr.vir
- Size
  
  48KB
- MD5
  
  abcca3f54a53769573ea56017d98f83b
- SHA1
  
  ee0d28c358aa299422b92fb648feb7ee9788eef6
- SHA256
  
  bdc2b1fa8b1bfc0a01577f524cf54bf1cea087d39396e915c943d3304fcab03f
- SHA512
  
  a217a2466ea355aa998d8b2f4643246f782e0d5ab01827cf80622b1fcbacbe9c478fb777a1ed510e6170fcdfe7d80519155a769e2d68bf4193894275ce3b6968
- SSDEEP
  
  768:fkzyZG7SI3/5UOwVxzgXs/RH3KYO+eNfcF4Soker6qQ4HyWOPHxT+scX2v:fkziG/ejwYOjNfcqJgqxOZcG
Score

10^/10

cobaltstrike 0 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
behavioral11 behavioral12
- Target
  
  提交材料.exe.vir
- Size
  
  3.8MB
- MD5
  
  aacf37fe5bddbad79fe940b129e4ab20
- SHA1
  
  fa3b2b05bbf9fe0f076de647ee1b4d4c49e06c59
- SHA256
  
  fa84c2b8cd4846e1c224d7dfb26e3737393b5fe13738b8d725d9b3815f9b0be1
- SHA512
  
  28f69ea85c4fbf0e98b60db5c17d1bca1c152d75e63c676e0deb4dceb244d95cad5bdf9a407c6638b4e42eaf90ca565521892fcf196265a375693a681d416a87
- SSDEEP
  
  98304:GgqM4j53BslobUytMfeUUzeeQY+ySOs0q4R:GQo3BXbUSXzdQC0c
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral13 behavioral14
- Target
  
  李志-账号密码记录-解压密码-20231116.exe.vir
- Size
  
  13.4MB
- MD5
  
  2c8fb8705dbce5899bf596163a9b077a
- SHA1
  
  7233623d12b409760193c0be6fbb4b330fc74788
- SHA256
  
  ec799e2ed133c709d9eb321b3876c8c3167314ff14ea407f2bffea51322e1ad3
- SHA512
  
  22a63989d76dfc48c59f91196759b724ec7ff50bd41f61f5a590381e1563cc1059003e4087a6d65bcd95d50cc3991364d255343658b074193fcc8a949df21f40
- SSDEEP
  
  98304:83Xn/gtuU2ICoM6f465FjjnrZ/cfMKpSw6Z5Vc1EboPkywplb:MX/gtuU2IY6PBcfMbN5VcGbo8Z
Score

10^/10

cobaltstrike 100000 backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Executes dropped EXE
- Loads dropped DLL
behavioral15 behavioral16
- Target
  
  陈力-病例.exe.vir
- Size
  
  2.8MB
- MD5
  
  10c96aedcd2ed82fe26d937e7e29285f
- SHA1
  
  2d608da10f568af323d10710040e47aa67e4d470
- SHA256
  
  68872f9505bff7b151ff544de1916635f2df003db63fa3cc288d953d3895389f
- SHA512
  
  01b5eb4dd7b8089a58994ddbb3dc0499ada0cf1bf7bcfb1cc30acfb4c2e5a2ebb8b8a4a032d0bf76816ea2022d5bfa12544b7fbd74017221a81dedfda3001968
- SSDEEP
  
  49152:Q7RFAhs1nZUm9fe15Fg2UQ+UZnqctKj8mngNMjZ42xI0:0RF5AlqcG87Ojlx
Score

6^/10
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Cobaltstrike

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Cobaltstrike

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Cobaltstrike

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18