Overview

overview

10

Static

static

3

b576f33767...bc.exe

windows7-x64

10

b576f33767...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2024 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b576f3376717226f7e88a2a0950665bc.exe

  • Size

    799KB

  • MD5

    b576f3376717226f7e88a2a0950665bc

  • SHA1

    fc6cb60995aadbff13ba36a13171c0d5e32fc889

  • SHA256

    bbda658833fd7e14fb605f3bb5c7698d1b6db08539ef0a20c2b7a3b39fe4d2dc

  • SHA512

    9f8a7c0c4604d612325c4eb21027ad17d74fcbbef408482df65ae2542a53cd6638b84aa2ada7e378db108841c0ab00bc595a7264c9094d783a2cccb9a6a80caf

  • SSDEEP

    12288:rCtP1JSy90AQO0ONLVIXu8mYac5LUECvn314MCzyAdlAUhCp5f7VqF:CnSywO0+8mkUd314nOzU83

Score
10/10
cobaltstrike426352781backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://121.196.195.112:8880/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • host

    121.196.195.112,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAUSG9zdDogd3d3LmpxdWVyeS5jb20AAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAEVVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA3LjA7IFdpbmRvd3MgTlQgNS4xOyAzNjBTRSkAAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAUSG9zdDogd3d3LmpxdWVyeS5jb20AAAAKAAAAIFJlZmVyZXI6IGh0dHA6Ly9jb2RlLmpxdWVyeS5jb20vAAAACgAAAEVVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA3LjA7IFdpbmRvd3MgTlQgNS4xOyAzNjBTRSkAAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    45000

  • port_number

    8880

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi2C+aJ8Qbn+57ZTFt9LB8FsLVJiPEHchi6sZwTNHPEi40kmxsg2xFwCmM5xnVCpVYMchR8KKX/IagzWt3/UylF0YfqI08EnUZZb7UHWVGN93VuBLNVg7jANmA5GfxU5SJfQq1YbfgEBTu7Tf3jidJ/5frfj/Xx2d09oIaP700WQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    426352781

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\b576f3376717226f7e88a2a0950665bc.exe
        "C:\Users\Admin\AppData\Local\Temp\b576f3376717226f7e88a2a0950665bc.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3364
      • C:\Users\Admin\AppData\Local\Temp\Update.exe
        C:\Users\Admin\AppData\Local\Temp\Update.exe
        2⤵
        • Executes dropped EXE
        PID:3084

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Update.exe
      Filesize

      124KB

      MD5

      695ec60a6cf76f52c09692434581d111

      SHA1

      3e2e30c20f0558c51d93b6f1dddbb6e4c08c6608

      SHA256

      1a51542848954b016e9f52caa4367eb1759e03d0318f17ccf89474b928f351aa

      SHA512

      faf567b682d6ba4ec22a923deca33813f4bacaee91891d4939945dc93c8df0416375521c5fd92c74aa13ad78ad21d0ea5f8f90f7099d3b9d197fb1efb9fd0a36

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\office_48.bin
      Filesize

      256KB

      MD5

      231b7ab6d3e0682a7455f09403d5a0cc

      SHA1

      c3dae5bbe41af28caac5962c06847aa103961fbc

      SHA256

      025c0e9b66fad454ed4cde8c1e6021294f42d8ada140b6375fb8623e2e301260

      SHA512

      55b5c2158342fd860d110008db7f2b8b1949d4ccd6e98245ed5dcaeca62e3d68c66e2b4cf2297d070a2889c54c34961ad14a1c9e0d9fe8009e9e2b9d59083bbe

      Download Submit
    • memory/3084-6-0x0000026307900000-0x0000026307941000-memory.dmp
      Filesize

      260KB

      Download
    • memory/3084-7-0x0000026307A70000-0x0000026307EE2000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/3084-8-0x0000026307A70000-0x0000026307EE2000-memory.dmp
      Filesize

      4.4MB

      Download