Malware Analysis Report

2025-08-10 19:32

Sample ID 240224-s1p3jage21
Target 35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c
SHA256 35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c
Tags
cobaltstrike backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c

Threat Level: Known bad

The file 35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c was found to be: Known bad.

Malicious Activity Summary

cobaltstrike backdoor evasion trojan

Cobaltstrike

Enumerates VirtualBox DLL files

Looks for VirtualBox drivers on disk

Looks for VirtualBox executables on disk

Looks for VMWare drivers on disk

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 15:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 15:35

Reported

2024-02-24 15:38

Platform

win7-20240221-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\System32\vboxdisp.dll C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\vboxoglerrorspu.dll C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\vboxoglpassthroughspu.dll C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\windows\System32\Drivers\VBoxVideo.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\Drivers\VBoxMouse.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\Drivers\VBoxGuest.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\Drivers\VBoxSF.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A

Looks for VirtualBox executables on disk

Description Indicator Process Target
File opened (read-only) C:\windows\System32\vboxservice.exe C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\vboxtray.exe C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\VBoxControl.exe C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A

Looks for VMWare drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\windows\System32\Drivers\Vmmouse.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe

"C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe"

Network

Country Destination Domain Proto
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp

Files

memory/2340-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 15:35

Reported

2024-02-24 15:38

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Enumerates VirtualBox DLL files

Description Indicator Process Target
File opened (read-only) C:\windows\System32\vboxdisp.dll C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\vboxhook.dll C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\vboxoglerrorspu.dll C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\vboxoglpassthroughspu.dll C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\windows\System32\Drivers\VBoxMouse.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\Drivers\VBoxGuest.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\Drivers\VBoxSF.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\Drivers\VBoxVideo.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A

Looks for VirtualBox executables on disk

Description Indicator Process Target
File opened (read-only) C:\windows\System32\vboxservice.exe C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\vboxtray.exe C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A
File opened (read-only) C:\windows\System32\VBoxControl.exe C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A

Looks for VMWare drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\windows\System32\Drivers\Vmmouse.sys C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe

"C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe"

Network

Country Destination Domain Proto
N/A 192.168.137.3:80 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 192.168.137.3:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp
N/A 192.168.137.3:80 tcp

Files

memory/4268-0-0x000001DD6F100000-0x000001DD6F101000-memory.dmp