Overview

overview

10

Static

static

1

32.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    32.bat

  • Size

    417KB

  • Sample

    240220-2w9qtaga91

  • MD5

    491ef28793ff8cc09602e9c264d5ae2e

  • SHA1

    67bb8667815f804657b954c1242ef8b1d786caae

  • SHA256

    b97f968af236575902ae57b3a08b0607fc18feccf64864980027496d44db1de3

  • SHA512

    9ed48a06125b327538f9e2e9f347c6b11396b3fb89517dbb2de85226fbe3320289253f4f2fd1e778a53027c59f81fb8cbafb3a8da9a2879716646910b8c3d30f

  • SSDEEP

    6144:as4xxdacT9hTe93yvbYRi5Th7w0QjXi5tAwL/JiJ0D+++kS2R7qBVLc1dY:P4xxdaIp+c0Ri1FQjyriO5vSm7c

Score
10/10
cobaltstrikezgrat666backdoorrattrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666

C2

http://horseridinghotel.com:443/wp-content/unsalted-condensed-soups/

Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_idle

    6.7372036e+07

  • dns_sleep

    8.1297408e+08

  • host

    horseridinghotel.com,/wp-content/unsalted-condensed-soups/

  • http_header1

    AAAACgAAAF1BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCwqLyo7cT0wLjgAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAKAAAAFkNvbm5lY3Rpb246IGtlZXAtYWxpdmUAAAAHAAAAAAAAAA8AAAANAAAAAQAAAAkvc291cC5naWYAAAAMAAAAAAAAAA==

  • http_header2

    AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAATXsiaW1hZ2VfdXJsIiA6ICJodHRwOi8vbWVtZXNtaXgubmV0L21lZGlhL2NyZWF0ZWQvam9vd2RqLmpwZyIsICJhdXRoZGF0YSIgOiAiAAAAAQAAAAIifQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    7680

  • maxdns

    235

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dfrgui.exe

  • sc_process64

    %windir%\sysnative\dfrgui.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7HPm6d02dd7700fIwQ5vU0ALDDJH/b7dbCND/stqGlKqv02PEMMqBKH8o/Qi7sVb+cMLHp6SvdEU3mJAArOujuSBQrtE7xlP7C+kKn91HpzTCWfNz+d67HvvE1RIY16FHqqXvzHiF1E5Hf9vjlnv8YfzMCWS31a0VcSjtsiAgwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.154317312e+09

  • unknown2

    AAAABAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAADAAAAACAAAAMAAAAAIAAAAwAAAAAgAAACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /upload_image/

  • user_agent

    Mozilla/5.0 (X11; CrOS x86_64 13597.94.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.186 Safari/537.36

  • watermark

    666

Targets

    • Target

      32.bat

    • Size

      417KB

    • MD5

      491ef28793ff8cc09602e9c264d5ae2e

    • SHA1

      67bb8667815f804657b954c1242ef8b1d786caae

    • SHA256

      b97f968af236575902ae57b3a08b0607fc18feccf64864980027496d44db1de3

    • SHA512

      9ed48a06125b327538f9e2e9f347c6b11396b3fb89517dbb2de85226fbe3320289253f4f2fd1e778a53027c59f81fb8cbafb3a8da9a2879716646910b8c3d30f

    • SSDEEP

      6144:as4xxdacT9hTe93yvbYRi5Th7w0QjXi5tAwL/JiJ0D+++kS2R7qBVLc1dY:P4xxdaIp+c0Ri1FQjyriO5vSm7c

    Score
    10/10
    cobaltstrikezgrat666backdoorrattrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    behavioral1

MITRE ATT&CK Matrix

Tasks