cobaltstrike | 487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

Resubmissions

27-04-2024 08:07

240427-jz4d4afa7v 10

27-04-2024 07:57

240427-js8egaec56 10

Sharing

Copy URL

Twitter E-mail

General

Target

malware_samples.zip
Size

19.1MB
Sample

240427-js8egaec56
MD5

d8e816c76ab1b9bc76e73b1aa0f88f2d
SHA1

da193bad12f1b79f8c938d62e8029ba948433859
SHA256

487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c
SHA512

5bd84b71cb39d1d4952255cbabc45608c972757bb63a9f70606e0d2200154374f9e61f1c526ed1fe903b166e5d0b0458540b47da9c70434ae5b31a7b7d1bd02a
SSDEEP

393216:ThCblxXJLB2mW/RxHedw0OZnq0NyWl9Hh9H2KAm4zI:ThSDZLI5xHea9Zf5XHD4zI

Score

10^/10

cobaltstrike trickbot xmrig 0 ono33 android link macro macro_on_action miner pdf upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://sandiegohomevalues.com/engl/4de-kzsyhu-768611/

exe.dropper

https://www.wenkawang.com/data/bofze0s-7ji4-15/

exe.dropper

https://www.bruidsfotograaf-utrecht.com/wp-includes/QLvFLy/

exe.dropper

http://ma.jopedu.com/img/8z8dl-3xn-655019278/

exe.dropper

http://pay.jopedu.com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/

Targets

- Target
  
  virusshare/2/VirusShare_01b55404de50bd1a56343b2f316ff88d
- Size
  
  121KB
- MD5
  
  01b55404de50bd1a56343b2f316ff88d
- SHA1
  
  8a6b9599d3e71c83eaef7f5a23df21b4f41370b1
- SHA256
  
  69bd652ace6469311a49a12f66bbbc691bdfc69aba958dd02d928464cbb46609
- SHA512
  
  f1ec4bf6768dea2edc53c72dd7c884641a464f4268d21480bb55fbdb1079b8c5c9fb50eab4b29d13acb4a8682ca6ae291341e01b748e228b185676e48df2e598
- SSDEEP
  
  3072:JrhJGtDfYtWAh3A8lKl+/63VBwxkbwQXz8lFTnc:JrhJoDfY13KE/qVlNYvnc
Score

1^/10
behavioral1 behavioral2
- Target
  
  virusshare/2/VirusShare_1ad9a67240d5775395c45b64dd6529fa
- Size
  
  2.9MB
- MD5
  
  1ad9a67240d5775395c45b64dd6529fa
- SHA1
  
  c653d2c475f639ad68c210e0f9d829344c5663c7
- SHA256
  
  3751298058a2a5d0912caa35bfdbafa48ae788647b536e69ad383c7c1990dd9d
- SHA512
  
  721b1c577db1cfe5465eaceadf2a7cc9d3f68d341f98d7dcc4bde2ff606f359b6bc917e993f5f05e9897b7957ca2617fa03937c2aea6a8462b86f2e750397c23
- SSDEEP
  
  49152:4obi85jFGg0IZHVA/pfa8u0Ikjhd6kss8CYxB52ibDIJZKpYg0Kg9e+KgFTRFO:Vzh6/I8u0IktgkOvxBUibs2Z0ggFdE
Score

3^/10
behavioral3 behavioral4
- Target
  
  virusshare/2/VirusShare_2fe5b00079aec2d8369a798230313ec8
- Size
  
  125KB
- MD5
  
  2fe5b00079aec2d8369a798230313ec8
- SHA1
  
  e233595a2ee62f6197fcc7d9088fce3505c38ec0
- SHA256
  
  8eb6805a0852b220695175ce81a5b139f1438dc06ea3fc1347b047702880374c
- SHA512
  
  d9b4173274b49d7f041aea1a6866d5cc79530360668299385a10f25597b608308a5cb6502363709a7e09e43d30a1df95e1ab72fcc71852c78b51da016c2bbed7
- SSDEEP
  
  3072:beKgdzSrG8KyIwLx3phgC1s0rPOWfKNR/:beKUzSLnLx3X3O0r2WfKNJ
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  virusshare/2/VirusShare_3f0b1eed4b7b9ae05fab4d949843f103
- Size
  
  35KB
- MD5
  
  3f0b1eed4b7b9ae05fab4d949843f103
- SHA1
  
  e5b9fa0a23f337adae93ed4e8fcd1e9d9db4acba
- SHA256
  
  ce21d34bafe338effb8f619936f057084cb45743fce884a1465966d8523a00a8
- SHA512
  
  292183a9d0b3e5759453a43bcf34b8b1d09d09523687bfab090dd740a5c70169938904949b1c5a025b40082898dc3ec240ad2ec788b66f256efe5a041f774740
- SSDEEP
  
  384:3+WbqwPv/ETzbVwNY/+TU5lHizK+BS3DzxW8M2GzraAzVCIXh3aM:OWbqm/EvZwO2TUrEQDtI2G31lX5
Score

1^/10
behavioral7 behavioral8
- Target
  
  virusshare/2/VirusShare_480ef02bb062a57724e1b3e14532a140
- Size
  
  32KB
- MD5
  
  480ef02bb062a57724e1b3e14532a140
- SHA1
  
  5ea2c3fdeb0b399e1805a94d8e6af4ce0de2c63e
- SHA256
  
  b2e302356d613a814a41d356a61cee24fc133dd032e4b02d8e29436aedd8d742
- SHA512
  
  82587a541bdc570b15402ef33beb14d9681160dc6e520f0c34b3c040658d17a9ced58feaa350f3a6c56eb7236ceb4bd09ba6ece56d13113780a6fe1a5044a99f
- SSDEEP
  
  768:9EKOUP0/RXtY+E1dhX2e1kaVsVri7sF9/I70u5M/E5vXuMZmwgCLWarCC:ROc0JTE1dhX2e1kssVri7sng0u5MyXFh
Score

1^/10
behavioral10 behavioral9
- Target
  
  virusshare/2/wedding.apk
- Size
  
  5.3MB
- MD5
  
  7a78191dad2e8baf6b372a4dc864430c
- SHA1
  
  92f7a09036d7fc1c4ada288fdb114e5e5dcb09c1
- SHA256
  
  7a42d7809fdef76fe0580d09ef6780a96c000d97712236e6550d7fff061e122a
- SHA512
  
  28ed1d04180dbf9fa7ea9561ddc112377c7d81f6ee1078ceb2fb93782cb29ff875bafc03f5906379f87060132d048ff1802748a97eb7cde9647893e5550c2c8d
- SSDEEP
  
  98304:dTUWQ8/rUKDzU87SWbFnVNyYdOYmwKOQarbcDSaBd2ZrYub+4XD:dTLHPSw7Nd8v0rr3aX4XD
Score

1^/10
behavioral11 behavioral12 behavioral13

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13