Overview

overview

10

Static

static

3

shellcode_run.exe

windows7-x64

10

shellcode_run.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    shellcode_run.zip

  • Size

    314KB

  • Sample

    240514-dw4msshd63

  • MD5

    1a168508478560cdeb508dfbea871941

  • SHA1

    f6d219e9b9448a65691097c8442fc92e11ca8f01

  • SHA256

    6acbffd5d5b81ee58960223f0a15db735973975ce5108e9bcbb767d469e9aa6f

  • SHA512

    d42bf4b53745ffe3cbb39db5360c5c849d443f7355766d9116848f2b7ae67861674a75a1516ebda62a2504bf063c2cbb0e218e4b4480a17096014fe58b3456f9

  • SSDEEP

    6144:GZI/dAlkARlSod5Unf8hkS7aQ8gWsqaqWTKAGNiT75TyV7lXzh:iI1+God5Unfy4JrseW1J0lDh

Score
10/10
cobaltstrike100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://58.218.215.181:443/wps/solution/index

http://111.170.24.232:443/wps/solution/index

http://119.84.72.222:443/wps/solution/index

http://180.213.251.231:443/wps/solution/index

http://221.208.153.19:443/wps/solution/index

http://116.253.29.243:443/wps/solution/index

http://36.158.224.86:443/wps/solution/index
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    58.218.215.181,/wps/solution/index,111.170.24.232,/wps/solution/index,119.84.72.222,/wps/solution/index,180.213.251.231,/wps/solution/index,221.208.153.19,/wps/solution/index,116.253.29.243,/wps/solution/index,36.158.224.86,/wps/solution/index

  • http_header1

    AAAABwAAAAAAAAADAAAAAgAAAAZ0ZnN0az0AAAAGAAAABkNvb2tpZQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAIFgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0AAAAEAAAABRIb3N0OiB3d3cuYWxpeXVuLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9qc29uAAAACgAAACBYLVJlcXVlc3RlZC1XaXRoOiBYTUxIdHRwUmVxdWVzdAAAABAAAAAUSG9zdDogd3d3LmFsaXl1bi5jb20AAAAHAAAAAAAAAAUAAAAFb3JkZXIAAAAHAAAAAQAAAAMAAAACAAAACXsiZGF0YSI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    7680

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCh3BRlss3kMAoxpOnFDqBH0SVbtj5CSj61uHgta20DGx8l5roXgtA86epLeD3kP+8DZxHmj/FjaOzqawNmx88AlVDeiEIDadC3Uo7YyN3SZPw7IcHDrm/12jre9OvoGnKdt33qJebD5NsyC4HyQqB/h/jtdT3EpVV/F0/mrq6RYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.66652032e+09

  • unknown2

    AAAABAAAAAEAAAACAAAAAgAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /data/wps/solution/index

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36

  • watermark

    100000000

Targets

    • Target

      shellcode_run.exe

    • Size

      109KB

    • MD5

      0d51495f9e53191e87f522b2d4513219

    • SHA1

      16a6a908e3d5a73a408598a472bb4e463a8fb81b

    • SHA256

      9edab317a7600c0f84fe1838bab3d947b6b90481f6d05c2cbbc83a2866130ddb

    • SHA512

      41090d0b526f5d46150540724b7d4aaca6c40e32094d46e5b054cc890786ea9d871e6356093b1499dec267d73865d8656b1cb140c15de91c026f47f2c40f44ce

    • SSDEEP

      3072:WwpksUjRpiMrP7F7JYc/agR/D5v5/c2I4P:BksUlpD7F7JvS8FlP

    Score
    10/10
    cobaltstrike100000000backdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Describes win.cobalt_strike.

      malpedia CS.

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks