Analysis Overview

score

10^/10

SHA256

b7a38c9378a5800c0b018eb05a63904d2c05baa1e9433bf33e53ecc01dfb11c3

Threat Level: Known bad

The file beacon.exe was found to be: Known bad.

Malicious Activity Summary

cobaltstrike 100000000 backdoor trojan

Cobaltstrike

Unsigned PE

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-23 11:46

Signatures

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-23 11:46

Reported

2024-04-23 11:49

Platform

win7-20231129-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beacon.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\beacon.exe

"C:\Users\Admin\AppData\Local\Temp\beacon.exe"

Network

Country	Destination	Domain	Proto
SG	8.219.177.40:1443		tcp
SG	8.219.177.40:1443		tcp
SG	8.219.177.40:1443		tcp
SG	8.219.177.40:1443		tcp
SG	8.219.177.40:1443		tcp
SG	8.219.177.40:1443		tcp
SG	8.219.177.40:1443		tcp

Files

memory/2188-0-0x00000000000C0000-0x0000000000101000-memory.dmp

memory/2188-2-0x0000000077270000-0x000000007738F000-memory.dmp

memory/2188-1-0x0000000000AB0000-0x0000000000F22000-memory.dmp

memory/2188-4-0x000000013FDB0000-0x000000013FE11000-memory.dmp

memory/2188-5-0x0000000077270000-0x000000007738F000-memory.dmp

memory/2188-9-0x0000000077270000-0x000000007738F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-23 11:46

Reported

2024-04-23 11:49

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\beacon.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Processes

C:\Users\Admin\AppData\Local\Temp\beacon.exe

"C:\Users\Admin\AppData\Local\Temp\beacon.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	209.205.72.20.in-addr.arpa	udp
US	8.8.8.8:53	4.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
SG	8.219.177.40:1443		tcp
US	8.8.8.8:53	9.228.82.20.in-addr.arpa	udp
US	8.8.8.8:53	75.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	67.32.209.4.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	21.114.53.23.in-addr.arpa	udp
NL	23.62.61.74:443	www.bing.com	tcp
US	8.8.8.8:53	74.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	149.220.183.52.in-addr.arpa	udp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	8.8.8.8:53	104.219.191.52.in-addr.arpa	udp
SG	8.219.177.40:1443		tcp
US	8.8.8.8:53	154.173.246.72.in-addr.arpa	udp
US	8.8.8.8:53	119.110.54.20.in-addr.arpa	udp
US	8.8.8.8:53	18.24.18.2.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	51.15.97.104.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
SG	8.219.177.40:1443		tcp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
SG	8.219.177.40:1443		tcp

Files

memory/3528-2-0x000001C8635F0000-0x000001C863A62000-memory.dmp

memory/3528-0-0x000001C8635A0000-0x000001C8635E1000-memory.dmp

memory/3528-4-0x00007FF6B1A40000-0x00007FF6B1AA1000-memory.dmp

Sample ID	240423-nxn9lsfh3t
Target	beacon.exe
SHA256	b7a38c9378a5800c0b018eb05a63904d2c05baa1e9433bf33e53ecc01dfb11c3
Tags	cobaltstrike 100000000 backdoor trojan

Malware Analysis Report

2024-08-06 11:02

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files