Overview

overview

10

Static

static

3

fd7ddb3105...ba.exe

windows7-x64

10

fd7ddb3105...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd7ddb3105b4acc3193b42a2475c39921656f70af0a390439bcfb7d3ecd1bcba.exe

  • Size

    4.1MB

  • MD5

    a822ad57e960e2dffdc8c9fdddc2ecf4

  • SHA1

    8aab7a4a40e949ad49040b6b141fcb81cb2479bd

  • SHA256

    fd7ddb3105b4acc3193b42a2475c39921656f70af0a390439bcfb7d3ecd1bcba

  • SHA512

    f860dc91811408168d594be2de5d98df762138fb4376b1bc022ef1af5ae527cc617cff1ddf9b428e6bddecabc59a0a02a8202d610c5976f0d6af3621b24838aa

  • SSDEEP

    98304:HljI1SmddLRrsR/Y92q5HNFLOAkGkzdnEVomFHKnPP:HJAd0Ysq5HNFLOyomFHKnPP

Score
10/10
cobaltstrike0100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://183.131.118.35:80/api/v2/SysconfigUsingGet

http://150.138.110.35:80/api/v2/SysconfigUsingGet

http://111.174.9.35:80/api/v2/SysconfigUsingGet

http://106.225.194.35:80/api/v2/SysconfigUsingGet

http://112.49.54.35:80/api/v2/SysconfigUsingGet

http://61.157.38.35:80/api/v2/SysconfigUsingGet
Attributes
  • access_type

    512

  • host

    183.131.118.35,/api/v2/SysconfigUsingGet,150.138.110.35,/api/v2/SysconfigUsingGet,111.174.9.35,/api/v2/SysconfigUsingGet,106.225.194.35,/api/v2/SysconfigUsingGet,112.49.54.35,/api/v2/SysconfigUsingGet,61.157.38.35,/api/v2/SysconfigUsingGet

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    35000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCybUBngQWbCUzDYGsNNcmiOKH3SjEhpdMBnS9p6/sg+5sXNN938wG3CHFdLVwe07hcR/tNphXX0cNJ603xQiq8b5WbD+vm/UGnftlCmWrB1dw76eR8LAgiaX75iRIIj7acafXBGmiYzgXnMZAd3RdL9tERhkaHU0C2ssOCLRHUKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/v2/TeamSpaceInfo

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

  • watermark

    100000000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd7ddb3105b4acc3193b42a2475c39921656f70af0a390439bcfb7d3ecd1bcba.exe
    "C:\Users\Admin\AppData\Local\Temp\fd7ddb3105b4acc3193b42a2475c39921656f70af0a390439bcfb7d3ecd1bcba.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2248-1-0x0000000076E30000-0x0000000076FD9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2248-2-0x0000000000140000-0x0000000000181000-memory.dmp
    Filesize

    260KB

    Download
  • memory/2248-3-0x0000000002720000-0x0000000002B92000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/2248-4-0x0000000076E30000-0x0000000076FD9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2248-5-0x0000000002720000-0x0000000002B92000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/2248-6-0x0000000002720000-0x0000000002B92000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/2248-7-0x0000000002720000-0x0000000002B92000-memory.dmp
    Filesize

    4.4MB

    Download