Overview

overview

10

Static

static

3

5a4b3189e2...89.exe

windows7-x64

10

5a4b3189e2...89.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5a4b3189e2071c16b9a013517996a4d8dd29ca218b6d461add236d278ae1a489

  • Size

    4.2MB

  • Sample

    240309-kw9x5sfb9y

  • MD5

    0b56f22d2fe3a7f1944bb457def14cc7

  • SHA1

    b2cbde9d4ba7ee33e0fea709ead121b75928fcb7

  • SHA256

    5a4b3189e2071c16b9a013517996a4d8dd29ca218b6d461add236d278ae1a489

  • SHA512

    c1073b7d8300d1ee3066aeeccf147288429d040a7cf251c6ee14e69456f94c48723dd8eb93ae29dca530e6bf889ea4922cab08ae07df780f4eb6d3103c5f5dcd

  • SSDEEP

    49152:lkP0MBwmMbApkuZeMAWj05EDmdvCoRIeNEDbAGIOwf+U2qTfBrhd0QaiRF:Y0UMjuZeTESd9bDTBrH0Qas

Score
10/10
cobaltstrike0backdoorevasiontrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://221.228.216.78:443/static/skin/js/jquery-3.3.1.min.js

http://bmw.ccb.com.cdn.dnsv1.com.cn:443/static/skin/js/jquery-3.3.1.min.js

http://218.29.50.94:443/static/skin/js/jquery-3.3.1.min.js
Attributes
  • access_type

    512

  • host

    221.228.216.78,/static/skin/js/jquery-3.3.1.min.js,bmw.ccb.com.cdn.dnsv1.com.cn,/static/skin/js/jquery-3.3.1.min.js,218.29.50.94,/static/skin/js/jquery-3.3.1.min.js

  • http_header1

    aWR2eVVhTURLdWJXVzRUTDNpUGpCdz09AAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    2048

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • unknown1

    4.234810624e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /static/skin/js/jquery-3.3.2.min.js

  • watermark

    0

Targets

    • Target

      5a4b3189e2071c16b9a013517996a4d8dd29ca218b6d461add236d278ae1a489

    • Size

      4.2MB

    • MD5

      0b56f22d2fe3a7f1944bb457def14cc7

    • SHA1

      b2cbde9d4ba7ee33e0fea709ead121b75928fcb7

    • SHA256

      5a4b3189e2071c16b9a013517996a4d8dd29ca218b6d461add236d278ae1a489

    • SHA512

      c1073b7d8300d1ee3066aeeccf147288429d040a7cf251c6ee14e69456f94c48723dd8eb93ae29dca530e6bf889ea4922cab08ae07df780f4eb6d3103c5f5dcd

    • SSDEEP

      49152:lkP0MBwmMbApkuZeMAWj05EDmdvCoRIeNEDbAGIOwf+U2qTfBrhd0QaiRF:Y0UMjuZeTESd9bDTBrH0Qas

    Score
    10/10
    cobaltstrike0backdoorevasiontrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks