Overview

overview

10

Static

static

3

14d376dfa0...9a.exe

windows7-x64

1

14d376dfa0...9a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a

  • Size

    378KB

  • Sample

    231201-jtsemsgb3s

  • MD5

    d04eaf025dfec65b50d1ce1960e00583

  • SHA1

    f042cea0283ecb5e487cb69e5790edec221e9c50

  • SHA256

    14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a

  • SHA512

    951fbe9210ee7e9564149e16df00d42f9742b671e3d2624b749faca7fbe0f354178b81bd5827ef3ca802dce3dedd7f541949bb1927f7d01dd57624eb0923f46f

  • SSDEEP

    6144:hdUEUGjKMw8rzAf7KWu1EcTUQROENqP5m3nCWkV7kfL/uJMdzY2BiT2wnfq:hdkMwtlcTUQquXkV7kfLmGdzYr2wnfq

Score
10/10
cobaltstrike100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://106.75.230.14:8443/static/js/jquery-v3.2.0.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    106.75.230.14,/static/js/jquery-v3.2.0.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3RpLnFpYW54aW4uY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3RpLnFpYW54aW4uY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    300000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCV0crClNlojga1ZUpQePu6yayzfvakcqdlSlnr7I5KDk9dctuhdMuEkf/guDBT3KjCO5FZqP4tHTjnfUoL1E0SKa386QMeXARo+D1lFp5lB5EGoHmTMysDRTx/QDSfGcx0Ni/HO7L2izqdtjFr322yto5WXf6Kwj2P+5EbSqQapwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /static/js/jquery-v3.2.2.min.js

  • user_agent

    Mozilla/9.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    100000

Targets

    • Target

      14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a

    • Size

      378KB

    • MD5

      d04eaf025dfec65b50d1ce1960e00583

    • SHA1

      f042cea0283ecb5e487cb69e5790edec221e9c50

    • SHA256

      14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a

    • SHA512

      951fbe9210ee7e9564149e16df00d42f9742b671e3d2624b749faca7fbe0f354178b81bd5827ef3ca802dce3dedd7f541949bb1927f7d01dd57624eb0923f46f

    • SSDEEP

      6144:hdUEUGjKMw8rzAf7KWu1EcTUQROENqP5m3nCWkV7kfL/uJMdzY2BiT2wnfq:hdkMwtlcTUQquXkV7kfLmGdzYr2wnfq

    Score
    10/10
    cobaltstrike100000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks