General

 • Target

  41f9ec24808f201a89b7dbee948a2d09585fc48e8e451c55c58b281496c3d80b

 • Size

  6.1MB

 • Sample

  240226-1ecjbaha5w

 • MD5

  aee0777031688fba7284fe330985492a

 • SHA1

  a2c6d67499dcb4f094883a66bb3212d1666e9e2e

 • SHA256

  41f9ec24808f201a89b7dbee948a2d09585fc48e8e451c55c58b281496c3d80b

 • SHA512

  90ba1c56ae6a1614a8bcc21fc7d0d2420d55341297ea72c4a6c0afe1c1b0a4f4e606c8390d72705f60d67bc8201fa87752093776039e83b3526852f1510b86f8

 • SSDEEP

  98304:EniLf9FdfE0pZB156utgpPFotBER/mQ32lUI:eOl56utgpPF8u/7I

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
 • access_type

  512

 • beacon_type

  256

 • create_remote_thread

  768

 • crypto_scheme

  256

 • host

  ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

 • http_header1

  AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

 • http_header2

  AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

 • http_method1

  GET

 • http_method2

  POST

 • maxdns

  255

 • pipe_name

  \\%s\pipe\msagent_%x

 • polling_time

  5000

 • port_number

  443

 • sc_process32

  %windir%\syswow64\rundll32.exe

 • sc_process64

  %windir%\sysnative\rundll32.exe

 • state_machine

  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

 • unknown1

  4096

 • unknown2

  AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

 • uri

  /N4215/adj/amzn.us.sr.aps

 • user_agent

  Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

 • watermark

  0

Targets

  • Target

   41f9ec24808f201a89b7dbee948a2d09585fc48e8e451c55c58b281496c3d80b

  • Size

   6.1MB

  • MD5

   aee0777031688fba7284fe330985492a

  • SHA1

   a2c6d67499dcb4f094883a66bb3212d1666e9e2e

  • SHA256

   41f9ec24808f201a89b7dbee948a2d09585fc48e8e451c55c58b281496c3d80b

  • SHA512

   90ba1c56ae6a1614a8bcc21fc7d0d2420d55341297ea72c4a6c0afe1c1b0a4f4e606c8390d72705f60d67bc8201fa87752093776039e83b3526852f1510b86f8

  • SSDEEP

   98304:EniLf9FdfE0pZB156utgpPFotBER/mQ32lUI:eOl56utgpPF8u/7I

  • Cobalt Strike reflective loader

   Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

   Detected malicious payload which is part of Cobaltstrike.

  • xmrig

   XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts

  • UPX dump on OEP (original entry point)

  • XMRig Miner payload

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

   Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Matrix

Tasks