Overview

overview

10

Static

static

7

2023年11�...��.exe

windows7-x64

9

2023年11�...��.exe

windows10-2004-x64

9

Due invoic...be.ps1

windows7-x64

1

Due invoic...be.ps1

windows10-2004-x64

1

tools-读�...��.exe

windows7-x64

1

tools-读�...��.exe

windows10-2004-x64

10

信息收�...cr.exe

windows7-x64

1

信息收�...cr.exe

windows10-2004-x64

10

公司资料.exe

windows7-x64

9

公司资料.exe

windows10-2004-x64

9

安全检�...cr.exe

windows7-x64

1

安全检�...cr.exe

windows10-2004-x64

10

提交材料.exe

windows7-x64

9

提交材料.exe

windows10-2004-x64

9

李志-账...16.exe

windows7-x64

10

李志-账...16.exe

windows10-2004-x64

10

陈力-病例.exe

windows7-x64

6

陈力-病例.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2023 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tools-读取浏览器敏感信息.exe

  • Size

    2.7MB

  • MD5

    18a10beb3838795efe07c622dc8f8f03

  • SHA1

    81ec86eb1739e62c7b53e18e63d30f38389c442e

  • SHA256

    17f271033078f2f2eece8eee32675ce6c1c8daf46fff03c7b0d533ff0eea04db

  • SHA512

    8d9d8b80b6a60531b5df0e162fbf8ecb02ebe97ce011ce6c130d1afa3dcee7e4833467995855e459a4e7ab83fb9727ee6c43629f4afe328ee4ec31186080ec7f

  • SSDEEP

    24576:WA/6cfDiOoLAERYdIfkYRiP1mxgZJeNAPT6mCVo2007Uef5JGKRnT1ivjx637DI5:WANDiOoLxYdI7ksWy9egRfcYt

Score
10/10
cobaltstrike987654321backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://101.33.196.232:50080/g.pixel

Attributes
  • access_type

    512

  • host

    101.33.196.232,/g.pixel

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    50080

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFvNsNMz+wjKBz8+fAbCDfp8OlTq80fRxt9K0GPS+NksQsIwJiMrpPyqCNkV7e6Kp6zhlRcnnSXF3CCQZabTqKzy2MPrgzrN5u2Ck1hcKZD78r0xc++4DlyY0vT2LVPG93cZ6NUzP5libC1qkHsgFZiiLso8zMNvSje5hQk2hBMQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)

  • watermark

    987654321

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\tools-读取浏览器敏感信息.exe
    "C:\Users\Admin\AppData\Local\Temp\tools-读取浏览器敏感信息.exe"
    1⤵
      PID:4056

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4056-0-0x0000000047880000-0x00000000478C4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/4056-1-0x0000000047A10000-0x0000000047A62000-memory.dmp
      Filesize

      328KB

      Download
    • memory/4056-2-0x000000004A2E0000-0x000000004A2E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4056-3-0x0000000140000000-0x0000000141273000-memory.dmp
      Filesize

      18.4MB

      Download
    • memory/4056-5-0x0000000047A10000-0x0000000047A62000-memory.dmp
      Filesize

      328KB

      Download
    • memory/4056-9-0x0000000140000000-0x0000000141273000-memory.dmp
      Filesize

      18.4MB

      Download
    • memory/4056-15-0x0000000140000000-0x0000000141273000-memory.dmp
      Filesize

      18.4MB

      Download
    • memory/4056-16-0x0000000140000000-0x0000000141273000-memory.dmp
      Filesize

      18.4MB

      Download