Overview

overview

10

Static

static

3

Covid.lnk

windows7-x64

10

Covid.lnk

windows10-2004-x64

10

bin/Delete...on.dll

windows7-x64

1

bin/Delete...on.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3cb0d2cff9db85c8e816515ddc380ea73850846317b0bb73ea6145c026276948

  • Size

    1.2MB

  • Sample

    240410-mhj6nscd82

  • MD5

    97fa94e60ccc91dcc6e5ee2848f48415

  • SHA1

    76700821e8604b4ff271ff2ec75e89d43a50e6ef

  • SHA256

    3cb0d2cff9db85c8e816515ddc380ea73850846317b0bb73ea6145c026276948

  • SHA512

    8288b9942532cb6ecf098ba7e60db28fdff623541e8ecf14e693f1526960f050982f9d6e75c0fec9a0fdbb094c71d352a9ea59c028990c81b5aa1594ca3ffce9

  • SSDEEP

    24576:7NeFKENMitcR7z8rh4hKlc5TgGMuRxKez:oFKSxcdIrh4es1+

Score
10/10
cobaltstrike1359593325backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://sinitude.com:443/web/chatr.portal

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    sinitude.com,/web/chatr.portal

  • http_header1

    AAAACgAAABdDb250ZW50LVR5cGU6IHRleHQvaHRtbAAAAAoAAAAXQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUAAAAHAAAAAAAAAAgAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACFDb250ZW50LVR5cGU6IG11bHRpcGFydC9mb3JtLWRhdGEAAAAKAAAAF0NhY2hlLUNvbnRyb2w6IG5vLWNhY2hlAAAABwAAAAAAAAALAAAADAAAAAcAAAABAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    7680

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmvg7ZMKuOy4b6zWQZu+OPtbyHRJvw2SFM1xPY8rgejFcFyo5c0JZTdjIsn1/P29ZHyiCMAuyxMFk9UWg3sWeZKknb1v6+NFQcMLyYjctXQuOnpEVJ17M2T+iOkUvMoBwBdWaNEPTDbJS8M+NIGXgkYR60ozQfEMWwIICwK89i+wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /web/logon.aspx

  • user_agent

    Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36

  • watermark

    1359593325

Targets

    • Target

      Covid.lnk

    • Size

      1KB

    • MD5

      da1787c54896a926b4893de19fd2554c

    • SHA1

      445c7b77534206636b8e22a9ba57d9d941bb6303

    • SHA256

      fdce78f3acfa557414d3f2c6cf95d18bdb8de1f6ffd3585256dfa682a441ac04

    • SHA512

      b56f7054127521fde92dcf6987d1d20010377609ff104c364e721c9f650df5f8654a726ef497fcba67d5d89e6bb462021ad5d22996634eeed4df708c9b45487e

    Score
    10/10
    cobaltstrike1359593325backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      bin/DeleteDateConnectionPosition.dll

    • Size

      597KB

    • MD5

      37ea95f7fa8fb51446c18f9f3aa63df3

    • SHA1

      246d49892298b850a8854b3bbdbbe516147f6fdd

    • SHA256

      6ee1e629494d7b5138386d98bd718b010ee774fe4a4c9d0e069525408bb7b1f7

    • SHA512

      3305bc222787e94778829228a488c2e8d5642702defafafa291fa6a218500fae8ef54ae5387c16084e0ebb36a9ee3eca5cd2cb3b94e879651afd521a58ec93c2

    • SSDEEP

      12288:/NeFKFt0NM1Ai2rA8G7qC8rCO48C1+JUKlc58AgGMus6zNEhfTReSQD:/NeFKENMitcR7z8rh4hKlc5TgGMuRxKI

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks