Overview

overview

10

Static

static

3

5f8953238f...8e.exe

windows7-x64

10

5f8953238f...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe

  • Size

    4.0MB

  • MD5

    07d39a51862b3d28a806fc106134acf2

  • SHA1

    72f4f6afca8888adfaed3ea3794e3c734b2e8665

  • SHA256

    5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e

  • SHA512

    1970523761d8ee3e412718f3c9cbca8b17a1d4444c74cd658440f860861b5ea6e9688d282c51636b6e460d156a614ec0cc7bcfd8b1c0292f5993974d6960a0bd

  • SSDEEP

    98304:MBSUuZRwje/N12R6oTTbW0mK2Zvf3jtiu/aXVPOOwexy2sovFA:uS1/v2R6pm2ZDn/u5E2sovm

Score
10/10
cobaltstrike100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://baidu.611110.xyz:8443/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    baidu.611110.xyz,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAWSG9zdDogYmFpZHUuNjExMTEwLnh5egAAAAoAAAAhUmVmZXJlcjogaHR0cDovL2JhaWR1LjYxMTExMC54eXovAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAWSG9zdDogYmFpZHUuNjExMTEwLnh5egAAAAoAAAAhUmVmZXJlcjogaHR0cDovL2JhaWR1LjYxMTExMC54eXovAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA8AAAANAAAABQAAAAhfX2NmZHVpZAAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    45000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCou2nMjOD8CJQrE4//5qNojmlYn1wREf9dYHd3ipigkBoAJ9EonsvD82Q0ZW1DhjTYHzpxmQwhEB7G6CLlQ12ua+XdBE3oUTt/Xhh/ZwwjhmSv11WlED9Q8n5phHQqN0lgWmn9wBl0yBF9OZ1ZN/UT0w0y2WP2ViI/uA641MwC7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    100000000

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Loads dropped DLL 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe
    "C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe
      "C:\Users\Admin\AppData\Local\Temp\5f8953238f5750ea92e866f20d3d25f69b3a5ff0b16e085ca65b234ed661ee8e.exe"
      2⤵
      • Loads dropped DLL
      PID:4232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI28082\_ctypes.pyd
    Filesize

    119KB

    MD5

    f5ec0b24dfc7952241c7a86abfb61455

    SHA1

    84176ec5d9f6d106a3ac1724539dfccb7c4c6c33

    SHA256

    6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191

    SHA512

    91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI28082\_hashlib.pyd
    Filesize

    163KB

    MD5

    0aab068bf3964f684cfd7e7557a8f4cd

    SHA1

    86c8b993128ecf8818e03149e29127dcc8883ccf

    SHA256

    0ce6ba11dc69141d7defe28b53c26b30476d1b05c7d033f5a72f3217a26804c9

    SHA512

    fea8aa9326703bc36475736a43564c33b3bcfeccf05823aabf27bd7dfd7f5e4cf30acea05b4d29011a002a3e9b334fee637f5c68aea5940d3c62c68f0bb8c42c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI28082\_hashlib.pyd
    Filesize

    82KB

    MD5

    7110971ded3cbc101cdfd9a470f2a404

    SHA1

    58b620084187002648dc05651c17e0d7c00cefcb

    SHA256

    251a3974c9a2751f17e37570dba006b7c8ca78c4b07917fc22f6f406eba74cc4

    SHA512

    63260cc7ebc45e68fb45552fb820ec73cbb1777a91453c7cd00382b850706a2fe950becac5cae20385fb413efc1f11671096323ce067396e8b88a66a5bb39cf6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI28082\https.exe.manifest
    Filesize

    1KB

    MD5

    b23faae7b6a781b3ac05d62e7c13a1b6

    SHA1

    36f48cc883a3e5007f9f3c153ef5bd3cb4d44573

    SHA256

    0116dfb0aea4f3dd3d92f3aa3e1c3d9828667da79bfbd054ffe2b08742ae6563

    SHA512

    7f42f66506c3f025760dc6123f56ef603338ba23c58b155d20eca053aa41448b25e6d9afcd1114d21a11d0fea40f6982d3dc4d0cf276579f71838fe1c5409721

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI28082\python27.dll
    Filesize

    219KB

    MD5

    2cd75024fff909a74b9c9feb4a5d5bb8

    SHA1

    0926eed3d3e0bfc63180eab20f8492106687477d

    SHA256

    506bfc614c696af0c6788497e044a9b51c850f0876c97d8b5b6aa7fe901eb3aa

    SHA512

    371dcfa4b37e1e18af899d6754d4b414761c3f5e9a76b472d87d45039c97ca18e5af6ab38097897bb1d62670e677487a1bae50cdce628af85f0dfcf5566da5ca

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI28082\python27.dll
    Filesize

    118KB

    MD5

    a0de15415c6ee39a684f59d9ee3d153f

    SHA1

    9905e821bea6157c6c7481189e3b9bf4a4bd50b4

    SHA256

    2f293c524bcad84659ddb2b941bfb5e1dd6745f328da02b68886dbdaaab2ac7d

    SHA512

    426eadaaaf625602de54428fd791f986640f4087140150880ef76c88116c5182a63d95d470cb2fcda094bfa9ed11e925bc03bcc1afbc741e8c2a66c25d0ae37d

    Download Submit
  • memory/2808-18-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4232-19-0x0000000000400000-0x0000000000435000-memory.dmp
    Filesize

    212KB

    Download
  • memory/4232-33-0x00000000000F0000-0x00000000001F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4232-32-0x0000000004BA0000-0x0000000005012000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/4232-38-0x00000000000F0000-0x00000000001F0000-memory.dmp
    Filesize

    1024KB

    Download