Malware Analysis Report

2024-08-06 11:03

Sample ID 231221-kp3v9agcfj
Target eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138
SHA256 eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138
Tags
cobaltstrike 100000000 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138

Threat Level: Known bad

The file eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike 100000000 backdoor trojan

Cobaltstrike

Unsigned PE

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-21 08:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 08:47

Reported

2023-12-21 08:50

Platform

win7-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138.exe

"C:\Users\Admin\AppData\Local\Temp\eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wps.cn udp
CN 139.9.135.197:443 www.wps.cn tcp
CN 101.206.201.231:443 tcp
N/A 127.0.0.1:60001 tcp
CN 119.3.210.249:443 www.wps.cn tcp
CN 101.206.201.232:443 tcp
US 8.8.8.8:53 down.360safe.com udp
US 104.192.108.21:443 down.360safe.com tcp
CN 139.9.135.197:443 www.wps.cn tcp
CN 101.206.201.249:443 tcp
CN 119.3.210.249:443 www.wps.cn tcp
CN 1.56.96.115:443 tcp
US 8.8.8.8:53 vip.wps.cn udp
CN 139.9.135.197:443 vip.wps.cn tcp
CN 101.206.202.177:443 tcp
CN 119.3.210.249:443 vip.wps.cn tcp
CN 1.71.156.254:443 tcp
US 8.8.8.8:53 www.kdocs.cn udp
SG 43.159.114.22:443 www.kdocs.cn tcp
US 8.8.8.8:53 account.wps.cn udp
SG 43.159.115.88:443 account.wps.cn tcp
US 8.8.8.8:53 bbs.sangfor.com.cn udp
CN 121.46.24.149:443 bbs.sangfor.com.cn tcp

Files

memory/2012-0-0x0000000028D40000-0x0000000028D8F000-memory.dmp

memory/2012-1-0x00000000024B0000-0x00000000024B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 08:47

Reported

2023-12-21 08:50

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138.exe

"C:\Users\Admin\AppData\Local\Temp\eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 365.wps.cn udp
CN 119.3.190.20:443 365.wps.cn tcp
N/A 127.0.0.1:60001 tcp
CN 101.206.201.232:443 tcp
CN 119.3.191.240:443 365.wps.cn tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
CN 1.56.96.109:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 updatem.360safe.com udp
US 104.192.108.21:443 updatem.360safe.com tcp
US 8.8.8.8:53 21.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 updatem.360safe.com udp
US 104.192.108.17:443 updatem.360safe.com tcp
US 8.8.8.8:53 17.108.192.104.in-addr.arpa udp
CN 119.3.190.20:443 365.wps.cn tcp
CN 101.206.202.180:443 tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
CN 119.3.191.240:443 365.wps.cn tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
CN 101.206.202.177:443 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 bbs.sangfor.com.cn udp
CN 121.46.24.149:443 bbs.sangfor.com.cn tcp
US 8.8.8.8:53 149.24.46.121.in-addr.arpa udp
US 8.8.8.8:53 down.360safe.com udp
US 104.192.108.21:443 down.360safe.com tcp
CN 121.46.24.149:443 bbs.sangfor.com.cn tcp
CN 101.206.201.217:443 tcp
US 8.8.8.8:53 update.360safe.com udp
CN 101.199.97.243:443 update.360safe.com tcp
CN 171.8.167.71:443 update.360safe.com tcp
CN 1.71.3.114:443 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/220-0-0x000001BEEDD10000-0x000001BEEDD5F000-memory.dmp

memory/220-1-0x000001BEEDCC0000-0x000001BEEDD01000-memory.dmp

memory/220-2-0x000001BEEDCC0000-0x000001BEEDD01000-memory.dmp