Overview

overview

10

Static

static

1

adobe update.exe

windows7-x64

10

adobe update.exe

windows10-2004-x64

10

$TEMP/Foreign.ps1

windows7-x64

1

$TEMP/Foreign.ps1

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    adobe update.exe

  • Size

    606KB

  • Sample

    240330-n46r8sfa76

  • MD5

    6d15502f7965eb86b7e3ef22415df950

  • SHA1

    5607d53d6f679f8ea6c8e5a1225d97cc0c36fed2

  • SHA256

    074020d2d88544c1747e8b8d51eedd460305f6c2c529d548d993f1816b93c702

  • SHA512

    12d73774636e0fcccfb2ef75bfca94888d7b15806a80c1e5a8292b23baf6d6cbda1cba41f9817f1bf37c29fda9a349bd3a8989e7962b977d53091b942bea8028

  • SSDEEP

    12288:JNZum6aVKx6SIIRYz6Y9IwDGDYPG76bR220oRnWDg7sK:JNZDV6IIRCRI5UbR2EF2oL

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://flogpasteapp.top:443/jquery-3.3.2.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Targets

    • Target

      adobe update.exe

    • Size

      606KB

    • MD5

      6d15502f7965eb86b7e3ef22415df950

    • SHA1

      5607d53d6f679f8ea6c8e5a1225d97cc0c36fed2

    • SHA256

      074020d2d88544c1747e8b8d51eedd460305f6c2c529d548d993f1816b93c702

    • SHA512

      12d73774636e0fcccfb2ef75bfca94888d7b15806a80c1e5a8292b23baf6d6cbda1cba41f9817f1bf37c29fda9a349bd3a8989e7962b977d53091b942bea8028

    • SSDEEP

      12288:JNZum6aVKx6SIIRYz6Y9IwDGDYPG76bR220oRnWDg7sK:JNZDV6IIRCRI5UbR2EF2oL

    Score
    10/10
    cobaltstrikebackdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $TEMP/Foreign

    • Size

      232KB

    • MD5

      d8637ced6059e011349fee2597d53313

    • SHA1

      d140570d9f3eeaa9c6d1b42d1a61fa0c6b7d9c0c

    • SHA256

      3d7201c97f506e1aba899ff67cf078b253d772b9af13721e9e67aa11535b50b7

    • SHA512

      4e4c124e48c4640ce9bf154ca618349aea0556431b1c8b5a150fced1e5fed4764fda845c98b965affe8399425c31b4bb902a813b4818adb6c2c90ab03bc61987

    • SSDEEP

      1536:x9modZAHZcaReoy52buj+D1u+lV9xnMxnz6WMFcKS8jkKTZsOyTAyWMFcK1WWGcv:bdZTAzV6MFcmCALMFcavG1MFceXCq

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks