Overview

overview

10

Static

static

3

logs/2023-11-16.dll

windows7-x64

1

logs/2023-11-16.dll

windows10-2004-x64

1

logs/service.exe

windows7-x64

1

logs/service.exe

windows10-2004-x64

1

環保業�...nt.exe

windows7-x64

10

環保業�...nt.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4ab08fd126e8a00fbc268666def9d54c5ca84c79b038ed8cb62ccdd27d7fc1cc

  • Size

    843KB

  • Sample

    231122-dts4aahh74

  • MD5

    f2bbbc4ea53a66218b010ecc59f49454

  • SHA1

    22d4920f9d5444ebb65b77037fd972fa7cb7c153

  • SHA256

    4ab08fd126e8a00fbc268666def9d54c5ca84c79b038ed8cb62ccdd27d7fc1cc

  • SHA512

    2a93449febeba51ff04210ec5ef7065023d419ebf8c91877bf6620d6c9275440ad6013978e3aeec6e73bc88a0182f2d0bcc7d80845d6c2e7e1b4e5bed3f12f89

  • SSDEEP

    24576:dVHXJDxzkW1ZpW0Y1caAFS5UKvzK8iN5D:d1XJNzk8OcaAFOU6zK8iN5D

Score
10/10
cobaltstrike391144938backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://ts01.gi-tech.com.tw:443/EIIMS_RewardPoint/api/getlog

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    ts01.gi-tech.com.tw,/EIIMS_RewardPoint/api/getlog

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAkUmVmZXJlcjogaHR0cHM6Ly90czAxLmdpLXRlY2guY29tLnR3AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAABGRhdGUAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAlUmVmZXJlcjogaHR0cHM6Ly90czAxLmdpLXRlY2guY29tLnR3LwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAEZGF0ZQAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    11520

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\werfault.exe

  • sc_process64

    %windir%\sysnative\werfault.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaMB3hlZx6cNTZZ8qC6QTB8PMNQOg0s8MrmgXCl7Zf7h983WcGuIxwfl3VZUvk/689fhUbi2I6PPXOddpk1G6jBAaHPaAtBA8frIQcuTf4Vs8DnDYzYVpDKD03Ia9o6jQMCs1fRQUX8w4WVbb4kTXBnjOOJ6PUoV3IWMHLLGrZAwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    9.328448e+08

  • unknown2

    AAAABAAAAAEAAAXoAAAAAgAAAAsAAAACAAA+6QAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /EIIMS_RewardPoint/api/QueryData

  • user_agent

    Mozilla/5.0 (compatibles; MSIE 10.0; Windows NT 7.0; InfoPath.8; .NET CLR 3.1.40717; Tri1dent/6.0; en-IN)

  • watermark

    391144938

Targets

    • Target

      logs/2023-11-16.log

    • Size

      21KB

    • MD5

      514b38829e6d5db78f2875977fd770b9

    • SHA1

      767eb51d01846c0d0b52e7a7fd93c0f9b4dd16eb

    • SHA256

      485476d4fccb412a2c3ef9301bf152c080de29b7116af7767490a370cf1f316c

    • SHA512

      8fecf9d46705b4633787d67c069483cf8717f74d175e128bb082cf6421cb9ccb1408781d3b106d5edb6314cbf7e24ea1bac11d1413de60aa61e18d2959ee9e3f

    • SSDEEP

      384:Cl8N54QkQkVtHLtsqB5JhFyRvx6pg0Lfipx+EmckPxiTZwGpm7:Z7GVTsBpciCEmckPxiT+ym7

    Score
    1/10
    behavioral1behavioral2

    • Target

      logs/service.log

    • Size

      39KB

    • MD5

      fc718ebb13a93c1f7b74cfbcffcf61fe

    • SHA1

      287f1441b57a06c3b04cf2cba15a310ed70af6a6

    • SHA256

      215ca01c99e864395fa2e97bca4a1b54c5f681c642638d650365e9f87851dd85

    • SHA512

      bc0f35092cd01fa0a0565358654bf05c9b37523c8b160c74e37951ca7efc70e325c46d6a00ad3354fabce31933e78078769393b6673a8e501d45770519ff0818

    • SSDEEP

      768:jvAXYxKTUtmPeBj16M0SU7wEo6gqXG8OrPZK6xrm+XxSxAKh:joXYxKTUtmPeRYSU7pgb8O7xiDjh

    Score
    1/10
    behavioral3behavioral4

    • Target

      環保業務管理系統-client.exe

    • Size

      1.5MB

    • MD5

      2efcdac5eaf8a6c410fd2f032d40e2d9

    • SHA1

      cc8c87f8f699ac9687f686a9af420574edea0807

    • SHA256

      be020519b839ad9e8607a42ec46723ca0c8273f50899a64914c0afd45e2d4040

    • SHA512

      96c6aad04b08ada07b335b37d5d326010ed3c8bd48b80cab6ee07346f3f16ad6e0a8f98fad12cc85009bb1d8ef1370626bfc77d066943d270d8a2d5887663fbb

    • SSDEEP

      24576:FCQaKNrvb2zejhrWNVy1y9uVyr9DR10E/Y3YK2VZhZbPG9Gyrl:F0mbtroVy1ysyrVZhZG

    Score
    10/10
    cobaltstrike391144938backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks