Overview

overview

10

Static

static

3

etc/libepsbase.dll

windows7-x64

1

etc/libepsbase.dll

windows10-2004-x64

1

etc/wpsserver.exe

windows7-x64

10

etc/wpsserver.exe

windows10-2004-x64

10

点击运行.lnk

windows7-x64

3

点击运行.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    85ab4629aaab569abeb6aa8b097e91a3764712b99460cab1d2e3d380428c7bb7

  • Size

    496KB

  • Sample

    231226-gdw2sadab9

  • MD5

    49bc9eeccd761662e2c926fb902eb846

  • SHA1

    a42b29540607f52febe0f638f1a571c60dedf657

  • SHA256

    85ab4629aaab569abeb6aa8b097e91a3764712b99460cab1d2e3d380428c7bb7

  • SHA512

    ce2d40724eccd0d5e4e19982074b5a3287fc719ddac5bde08be58d37a3a767b4f9402f143b035faa1053b143b2520055a3d5407194428fe06feeb8927d874f91

  • SSDEEP

    12288:GRC5fZPirCcdy3N8YS2bXXDp4Ve+18ErR89PcjKrvv23Hvwq:GRkZPi5rGnGVgEFKM8v23HYq

Score
10/10
cobaltstrike100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://222.186.131.95:39443/api/auth/v1/log

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    222.186.131.95,/api/auth/v1/log

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9984

  • polling_time

    18016

  • port_number

    39443

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk8TDQPDxrtDGQd+EZF7en9yNcmEcpX9f9OG5xoAdUEd50W7ip+X1tDdewzxxRp3HdfrK0OxB9cI7NBCKXHDdV+bT6cvTx7EJ0LylxrbclEAMSV6IiSGP9x8bq5ydLNO+IuyT/APMdnUhZYRB9OQ7iwt09O+atIh1E+R/cPkSwTwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/baidu/auth

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36

  • watermark

    100000

Targets

    • Target

      etc/libepsbase.dll

    • Size

      896KB

    • MD5

      c51743451f08a38b58d0e887432cf6d5

    • SHA1

      36f5e1d5bd2ccf472293aa30bf48d579d58874c2

    • SHA256

      fb87c0c70e1bd14856c9a86fba84d7fb189847e3d8ed1decf890334f5890c642

    • SHA512

      88984f3b071844b8313f6da7f7d1f55dcc31be6f708517ceaa8d702e72e5fa07db7eabe0cfeeaef18c1f8899663fc386ed6c44dd6c6c2282955db2c338a9c51a

    • SSDEEP

      24576:NMDig+apK/pYAHaOM06oNbIcKqXAzq4Yz4r3T91E5HcWg9VXZCea4cHGi8JgjW1T:qDig+FO+Cm

    Score
    1/10
    behavioral1behavioral2

    • Target

      etc/wpsserver.exe

    • Size

      123KB

    • MD5

      fc0a93686ae6248347f1cd62a12a8d19

    • SHA1

      228ddd918d0456e96785a93c9bb02d0fd9d66b6b

    • SHA256

      a08e0068d9244c9ef48b74c685b984bf01d889d9b2b18fa74e6dd6344a0a9f22

    • SHA512

      b9cdf8e66c958aea76a3111754c1db4661ed8762be6ee350e4b3d4dbb73bc12ccff2b096cdafb858ec6d30ed89d1b431554cae7b1c22349f19af43fd7c3d029e

    • SSDEEP

      3072:2k0S7BfBeU1TM1fHiyqCyrLZt4meRqvZ7gimRYJyDvu:2g7BfBe4G/iyPyHZt4TRYA

    Score
    10/10
    cobaltstrike100000backdoortrojan
    behavioral3behavioral4

    • Target

      点击运行.lnk

    • Size

      878B

    • MD5

      c9f75aaeebc02aa5c121b47bc32e93dd

    • SHA1

      f5bf81c81fa853a49cee6eb1fed56e2b4afe31e0

    • SHA256

      35c8ea732d7c05699f8a7f34d7bb296b597dffd9fcc436fb69bdd022896584c8

    • SHA512

      e0feb68584a020b073e300333ea1faa01167db6375ab1b454905f9a0c9516db25467b980a90c479fd913a5a9e908baaef342f8fb442e5085df482ce08b77ad55

    Score
    10/10
    cobaltstrike100000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks